Details
-
Bug
-
Resolution: Won't Do
-
P3: Somewhat important
-
None
-
5.3.2, 5.4.1
-
None
-
Debian GNU/Linux
Description
A Debian user writes in [0]:
Hello,
http://doc.qt.io/qt-5/qwebframe.html#addToJavaScriptWindowObject
describes how to export QObjects to JavaScript, so that properties and
slots are automatically exported, and that is cool. However, QObject
(and all its descendants) has a deleteLater() slot, which (I verified)
also gets automatically exported to JavaScript. I can call it from JS
and segfault everything.There seems to be no way from JS to invoke functions from a carefully
crafted API so that JavaScript cannot do damage. The "Internet Security"
bit of http://doc.qt.io/qt-5/qtwebkit-bridge.html is quite limited, and
the way I read it, it seems to imply that the usafe bits come from
exporting too much, not from exporting objects at all. I would think
that with that slot exported, exporting anything is already too much.I haven't checked if the objectName property is also exported and
writable: if that is the case, that could be another potential attack
vector.I would expect to either see this situation documented clearly in
"Internet Security", or to have QObject's own signal and properties NOT
exported by default.
[0] <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779569>
I really have no idea wrt javascript so I leave this to you.