Am 24.01.2014 um 17:13 schrieb Richard Moore <r...@kde.org>:

> On 24 January 2014 14:34, Phil Hannent <p...@hannent.co.uk> wrote:
>> I have a version 1.0 that I can bundle next to the application and to
>> use that. It would certainly be helpful to have the ability to toggle
>> where QLibrary searches in a bid to remove potential security and
>> usability issues, however that's clearly a philosophical point of
>> view.
> 
> You mean something like the following methods in QCoreApplication? :-)
> 
> static void setLibraryPaths(const QStringList &);

Does that also affect where QWebkit searches for OpenSSL which is /not/ a Qt 
plugin?

I am afraid that this is not the case, since according to the OP the 
application tried to pickup corresponding OpenSSL libraries in some foreign 
program folders ("Tortoise", "CMake") which are /not/ locations where Qt 
plugins would be searched -> which leads to the assumption that QWebkit is 
/not/ taking into account the "Qt Plugin Path". And why should it? It is very 
unlikely than an OpenSSL library is to be found there ;)

So the fact that QWebKit scans some (all?) program directories is probably 
because those applications have registered their "bin" directories in the 
Windows Registry to be included in the PATH.

Still, that is rather scary that a plugin is searched in the PATH and indicates 
(my speculstion!) that QWebkit does /not/ restrict its search with /absolute/ 
paths which point to well known directories such as 
c:\Windows\WhateverIsConsideredSecureInHere\OpenSSL.dll. Doh!

By the way, the term to google is "DLL hijacking" or "DLL planting". There was 
quite some news about this in around 2010 because even MS Office was affected 
by those *programming errors*. I can't remember the details, but I think the 
result was that Microsoft added a registry key which would allow users to at 
least prevent DLLs to be loaded (with a relative path given like 
LoadLibrary("OpenSSL.dll") <- BAD!) from the current working directory (which 
would happen e.g. when opening a document from an USB stick or network 
share/WebDAV folder etc.)

But then again, I am having a hard time trying to imagine that "DLL planting" 
an OpenSSL library into (Q)Webkit must have gone unnoticed... (do I hear some 
nervous keyboard hacking somewhere? ;)

Cheers,
  Oliver
_______________________________________________
Interest mailing list
Interest@qt-project.org
http://lists.qt-project.org/mailman/listinfo/interest

Reply via email to