Source: qtwebkit-opensource-src Version: 5.3.2+dfsg-3 Severity: normal Hello,
http://doc.qt.io/qt-5/qwebframe.html#addToJavaScriptWindowObject describes how to export QObjects to JavaScript, so that properties and slots are automatically exported, and that is cool. However, QObject (and all its descendants) has a deleteLater() slot, which (I verified) also gets automatically exported to JavaScript. I can call it from JS and segfault everything. There seems to be no way from JS to invoke functions from a carefully crafted API so that JavaScript cannot do damage. The "Internet Security" bit of http://doc.qt.io/qt-5/qtwebkit-bridge.html is quite limited, and the way I read it, it seems to imply that the usafe bits come from exporting too much, not from exporting objects at all. I would think that with that slot exported, exporting anything is already too much. I haven't checked if the objectName property is also exported and writable: if that is the case, that could be another potential attack vector. I would expect to either see this situation documented clearly in "Internet Security", or to have QObject's own signal and properties NOT exported by default. Thank you for your work on maintaining Qt! Enrico P.S. I leave it up to you to decide on the severity of this bug: it could go from critical to wishlist according to how this feature is currently being used by other software. -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
