From 86369030de0b779275167a423ddb6a7f7a4be6d2 Mon Sep 17 00:00:00 2001 From: Marco Martin Date: Fri, 27 Dec 2013 14:59:37 +0100 Subject: [PATCH] extra whitelist of allowed paths --- src/plasmaquick/packageurlinterceptor.cpp | 40 ++++++++++++++----- src/plasmaquick/packageurlinterceptor.h | 5 +++ .../qml/plasmoid/appletinterface.cpp | 4 +- .../qml/plasmoid/containmentinterface.cpp | 7 ++++ 4 files changed, 45 insertions(+), 11 deletions(-) diff --git a/src/plasmaquick/packageurlinterceptor.cpp b/src/plasmaquick/packageurlinterceptor.cpp index ed4bf431e..3c0c0b32b 100644 --- a/src/plasmaquick/packageurlinterceptor.cpp +++ b/src/plasmaquick/packageurlinterceptor.cpp @@ -30,12 +30,30 @@ PackageUrlInterceptor::PackageUrlInterceptor(QQmlEngine *engine, const Plasma::P m_package(p), m_engine(engine) { + foreach (const QString &import, m_engine->importPathList()) { + m_allowedPaths << import; + } } PackageUrlInterceptor::~PackageUrlInterceptor() { } +void PackageUrlInterceptor::addAllowedPath(const QString &path) +{ + m_allowedPaths << path; +} + +void PackageUrlInterceptor::removeAllowedPath(const QString &path) +{ + m_allowedPaths.removeAll(path); +} + +QStringList PackageUrlInterceptor::allowedPaths() const +{ + return m_allowedPaths; +} + QUrl PackageUrlInterceptor::intercept(const QUrl &path, QQmlAbstractUrlInterceptor::DataType type) { //qDebug() << "Intercepted URL:" << path; @@ -86,18 +104,17 @@ QUrl PackageUrlInterceptor::intercept(const QUrl &path, QQmlAbstractUrlIntercept //forbid to load random absolute paths } else { - foreach (const QString &import, m_engine->importPathList()) { - //it's from an import, good - //TODO: implement imports whitelist? - if (path.path().startsWith(import)) { - //qDebug() << "Found import, access granted" << path; + foreach (const QString &allowed, m_allowedPaths) { + //it's from an allowed, good + if (path.path().startsWith(allowed)) { + //qDebug() << "Found allowed, access granted" << path; - //check if there is a platform specific file that overrides this import + //check if there is a platform specific file that overrides this allowed foreach (const QString &platform, KDeclarative::runtimePlatform()) { //qDebug() << "Trying" << platform; - //search for a platformqml/ path sibling of this import path - const QString &platformPath = import+QStringLiteral("/../platformqml/")+platform+path.path().mid(import.length()); + //search for a platformqml/ path sibling of this allowed path + const QString &platformPath = allowed+QStringLiteral("/../platformqml/")+platform+path.path().mid(allowed.length()); const QFile f(platformPath); //qDebug() << "Found a platform specific file:" << QUrl::fromLocalFile(platformPath)<setUrlInterceptor(new PackageUrlInterceptor(engine, m_appletScriptEngine->package())); + PackageUrlInterceptor *interceptor = new PackageUrlInterceptor(engine, m_appletScriptEngine->package()); + interceptor->addAllowedPath(applet()->containment()->corona()->package().path()); + engine->setUrlInterceptor(interceptor); m_qmlObject->setSource(QUrl::fromLocalFile(m_appletScriptEngine->mainScript())); diff --git a/src/scriptengines/qml/plasmoid/containmentinterface.cpp b/src/scriptengines/qml/plasmoid/containmentinterface.cpp index fc82823ba..23edb672d 100644 --- a/src/scriptengines/qml/plasmoid/containmentinterface.cpp +++ b/src/scriptengines/qml/plasmoid/containmentinterface.cpp @@ -50,6 +50,7 @@ #include #include "kdeclarative/configpropertymap.h" +#include ContainmentInterface::ContainmentInterface(DeclarativeAppletScript *parent) : AppletInterface(parent), @@ -111,12 +112,18 @@ void ContainmentInterface::init() } Plasma::Package pkg = Plasma::PluginLoader::self()->loadPackage("Plasma/Generic"); + if (defaults.isValid()) { pkg.setPath(defaults.readEntry("ToolBox", "org.kde.desktoptoolbox")); } else { pkg.setPath("org.kde.desktoptoolbox"); } + PackageUrlInterceptor *interceptor = dynamic_cast(m_qmlObject->engine()->urlInterceptor()); + if (interceptor) { + interceptor->addAllowedPath(pkg.path()); + } + if (pkg.isValid()) { QObject *toolBoxObject = m_qmlObject->createObjectFromSource(QUrl::fromLocalFile(pkg.filePath("mainscript")));