http://bugzilla.suse.com/show_bug.cgi?id=1134131
http://bugzilla.suse.com/show_bug.cgi?id=1134131#c11
--- Comment #11 from Matthias Gerstner
https://github.com/linuxdeepin/dde-file-manager/pull/195 requiring authorization before take actions.
Okay, this reduces the attack surface considerably by default.
https://github.com/linuxdeepin/dde-file-manager/pull/194 remove unused com.deepin.filemanager.daemon.policy
Good, this is necessary cleanup.
https://github.com/linuxdeepin/dde-file-manager/pull/193 fix crash issues while execute without parameter, and unify the output between not existing and not a block device.
Hmm the check `!path.startsWith("/dev/")` is not good style. You need to stat() the file and check the file type. You should also make sure the path is not a symlink (by using O_NOFOLLOW). A sequence like int fd = open(path, O_PATH | O_NOFOLLOW); struct stat s; fstat(fd, &s); if( ! (s.st_mode & S_IFBLK) || s.st_uid != 0) { // fail } would be needed. Don't know right away how to achieve that best with Qt API, it is not well designed for security, sadly. You can additionally keep the check for the /dev prefix but before checking for that prefix you should normalize the path, otherwise the user can simply specify something like /dev/../root/.bashrc.
https://github.com/linuxdeepin/dde-file-manager/pull/196 compatibility with new format of lsblk output
Okay this should work.
https://github.com/linuxdeepin/dde-file-manager/pull/190 don't read .pam_enviroment any more
Good. -- You are receiving this mail because: You are on the CC list for the bug.