Hi,

Short after Qt 6.8.2 was released I reported
https://bugreports.qt.io/browse/QTBUG-133397

The issues is that the submodule qttools/src/assistant/qlitehtml
<https://code.qt.io/cgit/qt/qttools.git/tree/.gitmodules?h=6.8.2> is using
a relative path: ../../playground/qlitehtml.git

Because of qtlitehtml repo is under playground/ and not under qt/
directory, this relative path is meaningless almost everywhere except on
code.qt.io.

In particular on github.com, it points to
https://github.com/playground/qlitehtml.git
The issue is that anyone controlling the https://github.com/playground
account is able to have Qt users checkout their own qlitehtml repo, with
potentially malicious changes.
Luckily for now the repo https://github.com/playground/qlitehtml.git does
not exist and the cloning process fails (which is already bad on its own).

Right now I would advocate for moving qlitehtml repo from playground to qt
and take proper action so that developers cloning Qt from github.com, or
other online git services, do not end up cloning repos from random 3rd
parties.

In the long term, there should be rules and checks put in place to ensure
submodules in qt repos do not use relative urls to points to repos outside
of the qt/ directory.

Regards,

Benjamin Terrier
-- 
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development

Reply via email to