extra whitelist of allowed paths
This commit is contained in:
parent
10f412ca4a
commit
86369030de
@ -30,12 +30,30 @@ PackageUrlInterceptor::PackageUrlInterceptor(QQmlEngine *engine, const Plasma::P
|
||||
m_package(p),
|
||||
m_engine(engine)
|
||||
{
|
||||
foreach (const QString &import, m_engine->importPathList()) {
|
||||
m_allowedPaths << import;
|
||||
}
|
||||
}
|
||||
|
||||
PackageUrlInterceptor::~PackageUrlInterceptor()
|
||||
{
|
||||
}
|
||||
|
||||
void PackageUrlInterceptor::addAllowedPath(const QString &path)
|
||||
{
|
||||
m_allowedPaths << path;
|
||||
}
|
||||
|
||||
void PackageUrlInterceptor::removeAllowedPath(const QString &path)
|
||||
{
|
||||
m_allowedPaths.removeAll(path);
|
||||
}
|
||||
|
||||
QStringList PackageUrlInterceptor::allowedPaths() const
|
||||
{
|
||||
return m_allowedPaths;
|
||||
}
|
||||
|
||||
QUrl PackageUrlInterceptor::intercept(const QUrl &path, QQmlAbstractUrlInterceptor::DataType type)
|
||||
{
|
||||
//qDebug() << "Intercepted URL:" << path;
|
||||
@ -86,18 +104,17 @@ QUrl PackageUrlInterceptor::intercept(const QUrl &path, QQmlAbstractUrlIntercept
|
||||
|
||||
//forbid to load random absolute paths
|
||||
} else {
|
||||
foreach (const QString &import, m_engine->importPathList()) {
|
||||
//it's from an import, good
|
||||
//TODO: implement imports whitelist?
|
||||
if (path.path().startsWith(import)) {
|
||||
//qDebug() << "Found import, access granted" << path;
|
||||
foreach (const QString &allowed, m_allowedPaths) {
|
||||
//it's from an allowed, good
|
||||
if (path.path().startsWith(allowed)) {
|
||||
//qDebug() << "Found allowed, access granted" << path;
|
||||
|
||||
//check if there is a platform specific file that overrides this import
|
||||
//check if there is a platform specific file that overrides this allowed
|
||||
foreach (const QString &platform, KDeclarative::runtimePlatform()) {
|
||||
//qDebug() << "Trying" << platform;
|
||||
|
||||
//search for a platformqml/ path sibling of this import path
|
||||
const QString &platformPath = import+QStringLiteral("/../platformqml/")+platform+path.path().mid(import.length());
|
||||
//search for a platformqml/ path sibling of this allowed path
|
||||
const QString &platformPath = allowed+QStringLiteral("/../platformqml/")+platform+path.path().mid(allowed.length());
|
||||
const QFile f(platformPath);
|
||||
|
||||
//qDebug() << "Found a platform specific file:" << QUrl::fromLocalFile(platformPath)<<f.exists();
|
||||
@ -108,13 +125,16 @@ QUrl PackageUrlInterceptor::intercept(const QUrl &path, QQmlAbstractUrlIntercept
|
||||
return path;
|
||||
}
|
||||
}
|
||||
qWarning() << "WARNING: Access denied for URL" << path << m_package.path();
|
||||
}
|
||||
}
|
||||
|
||||
//for now, just allow qmldirs
|
||||
} else {
|
||||
return path;
|
||||
}
|
||||
|
||||
qWarning() << "WARNING: Access denied for URL" << path << m_package.path();
|
||||
return QUrl();
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -35,6 +35,10 @@ public:
|
||||
PackageUrlInterceptor(QQmlEngine *engine, const Plasma::Package &p);
|
||||
virtual ~PackageUrlInterceptor();
|
||||
|
||||
void addAllowedPath(const QString &path);
|
||||
void removeAllowedPath(const QString &path);
|
||||
QStringList allowedPaths() const;
|
||||
|
||||
virtual QUrl intercept(const QUrl &path, QQmlAbstractUrlInterceptor::DataType type);
|
||||
|
||||
static inline QByteArray prefixForType(QQmlAbstractUrlInterceptor::DataType type, const QString &fileName)
|
||||
@ -68,6 +72,7 @@ public:
|
||||
|
||||
private:
|
||||
Plasma::Package m_package;
|
||||
QStringList m_allowedPaths;
|
||||
QQmlEngine *m_engine;
|
||||
};
|
||||
|
||||
|
@ -111,7 +111,9 @@ void AppletInterface::init()
|
||||
|
||||
//Hook generic url resolution to the applet package as well
|
||||
//TODO: same thing will have to be done for every qqmlengine: PackageUrlInterceptor is material for plasmaquick?
|
||||
engine->setUrlInterceptor(new PackageUrlInterceptor(engine, m_appletScriptEngine->package()));
|
||||
PackageUrlInterceptor *interceptor = new PackageUrlInterceptor(engine, m_appletScriptEngine->package());
|
||||
interceptor->addAllowedPath(applet()->containment()->corona()->package().path());
|
||||
engine->setUrlInterceptor(interceptor);
|
||||
|
||||
m_qmlObject->setSource(QUrl::fromLocalFile(m_appletScriptEngine->mainScript()));
|
||||
|
||||
|
@ -50,6 +50,7 @@
|
||||
#include <kactivities/info.h>
|
||||
|
||||
#include "kdeclarative/configpropertymap.h"
|
||||
#include <packageurlinterceptor.h>
|
||||
|
||||
ContainmentInterface::ContainmentInterface(DeclarativeAppletScript *parent)
|
||||
: AppletInterface(parent),
|
||||
@ -111,12 +112,18 @@ void ContainmentInterface::init()
|
||||
}
|
||||
|
||||
Plasma::Package pkg = Plasma::PluginLoader::self()->loadPackage("Plasma/Generic");
|
||||
|
||||
if (defaults.isValid()) {
|
||||
pkg.setPath(defaults.readEntry("ToolBox", "org.kde.desktoptoolbox"));
|
||||
} else {
|
||||
pkg.setPath("org.kde.desktoptoolbox");
|
||||
}
|
||||
|
||||
PackageUrlInterceptor *interceptor = dynamic_cast<PackageUrlInterceptor *>(m_qmlObject->engine()->urlInterceptor());
|
||||
if (interceptor) {
|
||||
interceptor->addAllowedPath(pkg.path());
|
||||
}
|
||||
|
||||
if (pkg.isValid()) {
|
||||
QObject *toolBoxObject = m_qmlObject->createObjectFromSource(QUrl::fromLocalFile(pkg.filePath("mainscript")));
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user