[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779569: marked as done (addToJavaScriptWindowObject exports QObject's slots by default)

Your message dated Thu, 04 Sep 2025 17:59:28 +0000
with message-id <[🔎] E1uuEF6-009us6-0t@fasolo.debian.org>
and subject line Bug#1111522: Removed package(s) from unstable
has caused the Debian Bug report #779569,
regarding addToJavaScriptWindowObject exports QObject's slots by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
779569: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779569
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: qtwebkit-opensource-src
Version: 5.3.2+dfsg-3
Severity: normal

Hello,

http://doc.qt.io/qt-5/qwebframe.html#addToJavaScriptWindowObject
describes how to export QObjects to JavaScript, so that properties and
slots are automatically exported, and that is cool. However, QObject
(and all its descendants) has a deleteLater() slot, which (I verified)
also gets automatically exported to JavaScript. I can call it from JS
and segfault everything.

There seems to be no way from JS to invoke functions from a carefully
crafted API so that JavaScript cannot do damage. The "Internet Security"
bit of http://doc.qt.io/qt-5/qtwebkit-bridge.html is quite limited, and
the way I read it, it seems to imply that the usafe bits come from
exporting too much, not from exporting objects at all. I would think
that with that slot exported, exporting anything is already too much.

I haven't checked if the objectName property is also exported and
writable: if that is the case, that could be another potential attack
vector.

I would expect to either see this situation documented clearly in
"Internet Security", or to have QObject's own signal and properties NOT
exported by default.


Thank you for your work on maintaining Qt!

Enrico


P.S.
I leave it up to you to decide on the severity of this bug: it could go
from critical to wishlist according to how this feature is currently
being used by other software.

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Version: 5.212.0~alpha4-42+rm

Dear submitter,

as the package qtwebkit-opensource-src has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1111522

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)

--- End Message ---
Reply to: