Am 24.01.2014 um 17:13 schrieb Richard Moore <[email protected]>:
> On 24 January 2014 14:34, Phil Hannent <[email protected]> wrote:
>> I have a version 1.0 that I can bundle next to the application and to
>> use that. It would certainly be helpful to have the ability to toggle
>> where QLibrary searches in a bid to remove potential security and
>> usability issues, however that's clearly a philosophical point of
>> view.
>
> You mean something like the following methods in QCoreApplication? :-)
>
> static void setLibraryPaths(const QStringList &);
Does that also affect where QWebkit searches for OpenSSL which is /not/ a Qt
plugin?
I am afraid that this is not the case, since according to the OP the
application tried to pickup corresponding OpenSSL libraries in some foreign
program folders ("Tortoise", "CMake") which are /not/ locations where Qt
plugins would be searched -> which leads to the assumption that QWebkit is
/not/ taking into account the "Qt Plugin Path". And why should it? It is very
unlikely than an OpenSSL library is to be found there ;)
So the fact that QWebKit scans some (all?) program directories is probably
because those applications have registered their "bin" directories in the
Windows Registry to be included in the PATH.
Still, that is rather scary that a plugin is searched in the PATH and indicates
(my speculstion!) that QWebkit does /not/ restrict its search with /absolute/
paths which point to well known directories such as
c:\Windows\WhateverIsConsideredSecureInHere\OpenSSL.dll. Doh!
By the way, the term to google is "DLL hijacking" or "DLL planting". There was
quite some news about this in around 2010 because even MS Office was affected
by those *programming errors*. I can't remember the details, but I think the
result was that Microsoft added a registry key which would allow users to at
least prevent DLLs to be loaded (with a relative path given like
LoadLibrary("OpenSSL.dll") <- BAD!) from the current working directory (which
would happen e.g. when opening a document from an USB stick or network
share/WebDAV folder etc.)
But then again, I am having a hard time trying to imagine that "DLL planting"
an OpenSSL library into (Q)Webkit must have gone unnoticed... (do I hear some
nervous keyboard hacking somewhere? ;)
Cheers,
Oliver
_______________________________________________
Interest mailing list
[email protected]
http://lists.qt-project.org/mailman/listinfo/interest
