https://bugs.kde.org/show_bug.cgi?id=487152
Bug ID: 487152
Summary: GUI polkit authentication doesn't show long commands
Classification: I don't know
Product: kde
Version: unspecified
Platform: Arch Linux
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: unassigned-b...@kde.org
Reporter: knyf...@gmail.com
Target Milestone: ---
Created attachment 169570
--> https://bugs.kde.org/attachment.cgi?id=169570&action=edit
SteamVR running a command that was cut off
SUMMARY
GUI polkit authentication doesn't show long commands.
STEPS TO REPRODUCE
1. Run `pkexec echo 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa something malicious
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'`
OBSERVED RESULT
The authentication dialog only shows the beginning and end of the command. That
is "aaaaaaaaa... aaaaaaaa".
EXPECTED RESULT
The entire command which you give root access is shown (possibly hidden under
"details"), such that you can check if it is malicious.
SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Arch Linux
KDE Plasma Version: 6.0.4
KDE Frameworks Version: 6.1.0
Qt Version: 6.7.0
ADDITIONAL INFORMATION
I don't know if it is even possible to hide something malicious in the middle
of a command, but it could potentially be an issue. As for any "real" examples
of this issue, I've attached a screenshot of the command run when I updated
SteamVR, which got cropped due to being too long.
--
You are receiving this mail because:
You are watching all bug changes.
