Bug 434808

Summary: Is it a security risk when kwin scripts can call any dbus method?
Product: [Plasma] kwin Reporter: trmdi
Component: scriptingAssignee: KWin default assignee <kwin-bugs-null>
Status: RESOLVED NOT A BUG    
Severity: normal CC: kde, nate
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description trmdi 2021-03-23 01:16:08 UTC 
SUMMARY

Any script can use callDBus to execute any command with methods provided by the KLauncher service.

What do you think about this?
Comment 1 trmdi 2021-03-24 05:03:28 UTC 
Maybe whenever a call to KLauncher is made, there should be a confirm dialog, like the way Dolphin does when the user clicks on an executable file?
Comment 2 David Edmundson 2021-03-24 10:20:40 UTC 
It is not a security risk in the sense that that we never claim to provide any sandboxing or protection.

Same for dolphin file extensions, plasmoids or anything else.

We should definitely be putting some warning into these GHNS dialogs.



>Maybe whenever a call to KLauncher is made, there should be a confirm dialog

Trying to plug holes after running random code is a more dangerous games as we're making promises that we can never fill.