Use blacklist for executables, explicitly run executables with QProcess to work around KDE4.4 security measure which disallows running executables

11 years ago · 695bd74ce5
4 changed files with 18 additions and 15 deletions
--- a/src/chatlog/content/filetransferwidget.cpp
+++ b/src/chatlog/content/filetransferwidget.cpp
@ -429,8 +429,7 @@ void FileTransferWidget::handleButton(QPushButton *btn)
				@@ -429,8 +429,7 @@ void FileTransferWidget::handleButton(QPushButton *btn)

    if(btn->objectName() == "ok")
    {
-        if (Widget::confirmExecutableOpen(QFileInfo(fileInfo.filePath)))
-            QDesktopServices::openUrl(QUrl("file://" + fileInfo.filePath, QUrl::TolerantMode));
+        Widget::confirmExecutableOpen(QFileInfo(fileInfo.filePath));
    }
    else if (btn->objectName() == "dir")
    {
--- a/src/widget/form/filesform.cpp
+++ b/src/widget/form/filesform.cpp
@ -20,7 +20,6 @@
				@@ -20,7 +20,6 @@
 #include <QFileInfo>
 #include <QUrl>
 #include <QDebug>
-#include <QDesktopServices>

 FilesForm::FilesForm()
    : QObject()
@ -82,10 +81,5 @@ void FilesForm::onFileActivated(QListWidgetItem* item)
				@@ -82,10 +81,5 @@ void FilesForm::onFileActivated(QListWidgetItem* item)
 {
    ListWidgetItem* tmp = dynamic_cast<ListWidgetItem*> (item);

-    if (!Widget::confirmExecutableOpen(QFileInfo(tmp->path)))
-        return;
-
-    QUrl url = QUrl::fromLocalFile(tmp->path);
-    qDebug() << "Opening '" << url << "'";
-    QDesktopServices::openUrl(url);
+    Widget::confirmExecutableOpen(QFileInfo(tmp->path));
 }
--- a/src/widget/widget.cpp
+++ b/src/widget/widget.cpp
@ -59,6 +59,8 @@
				@@ -59,6 +59,8 @@
 #include <QByteArray>
 #include <QImageReader>
 #include <QList>
+#include <QDesktopServices>
+#include <QProcess>
 #include <tox/tox.h>

 #ifdef Q_OS_ANDROID
@ -498,17 +500,25 @@ void Widget::onTransferClicked()
				@@ -498,17 +500,25 @@ void Widget::onTransferClicked()
    activeChatroomWidget = nullptr;
 }

-bool Widget::confirmExecutableOpen(const QFileInfo file)
+void Widget::confirmExecutableOpen(const QFileInfo file)
 {
-    if (file.isExecutable())
+    static const QStringList dangerousExtensions = { "app", "bat", "com", "cpl", "dmg", "exe", "hta", "jar", "js", "jse", "lnk", "msc", "msh", "msh1", "msh1xml", "msh2", "msh2xml", "mshxml", "msi", "msp", "pif", "ps1", "ps1xml", "ps2", "ps2xml", "psc1", "psc2", "py", "reg", "scf", "sh", "src", "vb", "vbe", "vbs", "ws", "wsc", "wsf", "wsh" };
+
+    if (dangerousExtensions.contains(file.suffix()))
    {
        if(!GUI::askQuestion(tr("Executable file", "popup title"), tr("You have asked qTox to open an executable file. Executable files can potentially damage your computer. Are you sure want to open this file?", "popup text"), false, true))
        {
-            return false;
+            return;
        }
+        
+        // The user wants to run this file, so make it executable and run it
+        QFile(file.filePath()).setPermissions(file.permissions() | QFile::ExeOwner | QFile::ExeUser | QFile::ExeGroup | QFile::ExeOther);
+        QProcess::startDetached(file.filePath());
+    }
+    else
+    {
+        QDesktopServices::openUrl(QUrl("file://" + file.filePath(), QUrl::TolerantMode));
    }
-
-    return true;
 }

 void Widget::onIconClick(QSystemTrayIcon::ActivationReason reason)
--- a/src/widget/widget.h
+++ b/src/widget/widget.h
@ -70,7 +70,7 @@ public:
				@@ -70,7 +70,7 @@ public:
    virtual void changeEvent(QEvent *event);
    virtual void resizeEvent(QResizeEvent *event);

-    static bool confirmExecutableOpen(const QFileInfo file);
+    static void confirmExecutableOpen(const QFileInfo file);

    void clearAllReceipts();
    void reloadHistory();