Bug#779569: addToJavaScriptWindowObject exports QObject's slots by default

To: 779569@bugs.debian.org, 779569-submitter@bugs.debian.org
Subject: Bug#779569: addToJavaScriptWindowObject exports QObject's slots by default
From: "Lisandro Damián Nicanor Pérez Meyer" <perezmeyer@gmail.com>
Date: Tue, 17 Mar 2015 09:34:51 -0300
Message-id: <[🔎] 5285670.8bG0UiXz0s@luna>
Reply-to: 779569@bugs.debian.org, 779569@bugs.debian.org
In-reply-to: <[🔎] 20150302142849.10168.60721.reportbug@viaza.enricozini.org>
References: <[🔎] 20150302142849.10168.60721.reportbug@viaza.enricozini.org>

forwarded 779569 https://bugreports.qt.io/browse/QTBUG-45049
thanks

On Monday 02 March 2015 15:28:49 Enrico Zini wrote:
> Source: qtwebkit-opensource-src
> Version: 5.3.2+dfsg-3
> Severity: normal
> 
> Hello,

Hi Enrico!

> http://doc.qt.io/qt-5/qwebframe.html#addToJavaScriptWindowObject
> describes how to export QObjects to JavaScript, so that properties and
> slots are automatically exported, and that is cool. However, QObject
> (and all its descendants) has a deleteLater() slot, which (I verified)
> also gets automatically exported to JavaScript. I can call it from JS
> and segfault everything.
> 
> There seems to be no way from JS to invoke functions from a carefully
> crafted API so that JavaScript cannot do damage. The "Internet Security"
> bit of http://doc.qt.io/qt-5/qtwebkit-bridge.html is quite limited, and
> the way I read it, it seems to imply that the usafe bits come from
> exporting too much, not from exporting objects at all. I would think
> that with that slot exported, exporting anything is already too much.
> 
> I haven't checked if the objectName property is also exported and
> writable: if that is the case, that could be another potential attack
> vector.
> 
> I would expect to either see this situation documented clearly in
> "Internet Security", or to have QObject's own signal and properties NOT
> exported by default.

I really have no idea of JS although I can see there is room for problems. I 
have just forwarded the bug upstream. It would be really cool if you can 
follow it up there, just to avoid me being a (possible malfunctioning) proxy.

By the way, webkit is not developed anymore, upstream is switching to 
QtWebCore which is based in Chrome's engine. So far no one has stepped up for 
packaging it as it has lots of embedded stuff (including ffmpeg and libv8) so 
chances are that we are not going to see it soon in the archive.

Kinds regards, Lisandro.

-- 
The generation of random numbers is too important to be left to chance.
  http://www.devtopics.com/best-programming-jokes/

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Bug#779569: addToJavaScriptWindowObject exports QObject's slots by default
  - From: Enrico Zini <enrico@enricozini.org>

Prev by Date: Bug#777508: was reproducible - with several test installations on two different machines - Re: Not reproducible
Next by Date: Bug#780588: marked as done (kate: crash when I try to open/save a .bash/.sh file)
Previous by thread: Bug#779569: addToJavaScriptWindowObject exports QObject's slots by default
Next by thread: Processing of kguiaddons_5.7.0-1_amd64.changes
Index(es):
- Date
- Thread