Do not pass in command line arguments to QApplication #16578

pull achow101 wants to merge 1 commits into bitcoin:master from achow101:no-qapp-args changing 3 files +8 −5
  1. achow101 commented at 7:52 pm on August 9, 2019: member

    QApplication takes the command line arguments and parses them itself for some built in command line arguments that it has. We don’t want any of those built in arguments, so instead give it dummy arguments.

    To test, you can use the -reverse option. Without this patch, everything will appear right-to-left; things that were on the left side will be on the right and everything is right aligned.

    After this patch, -reverse will now give a startup error since we do not support this argument.

  2. Give QApplication dummy arguments
    QApplication takes the command line arguments and parses them itself
    for some built in command line arguments that it has. We don't want
    any of those built in arguments, so instead give it dummy arguments.
    a2714a5c69
  3. promag commented at 7:56 pm on August 9, 2019: member

    We don’t want any of those built in arguments

    Care to explain why?

  4. achow101 commented at 8:03 pm on August 9, 2019: member

    Care to explain why?

    They can do unexpected things and cause issues. Qt can also just add more arguments that do other stuff. We have a larger attack surface by allowing this.

  5. DrahtBot added the label GUI on Aug 9, 2019
  6. DrahtBot added the label Tests on Aug 9, 2019
  7. fanquake commented at 1:19 am on August 10, 2019: member
    @theuni might want to comment here, as he was asking about if the changes in #16386 would remove the ability to add qt-specific runtime args to bitcoin-qt ?.
  8. fanquake removed the label Tests on Aug 10, 2019
  9. in src/qt/bitcoin.cpp:173 in a2714a5c69
    168@@ -169,8 +169,11 @@ void BitcoinCore::shutdown()
    169     }
    170 }
    171 
    172-BitcoinApplication::BitcoinApplication(interfaces::Node& node, int &argc, char **argv):
    173-    QApplication(argc, argv),
    174+static int qt_argc = 1;
    175+static const char* qt_argv = "bitcoin-qt";
    


    laanwj commented at 11:10 am on August 10, 2019:
    • these can be inside the function scope
    • if you remove the const here, you don’t need to const_cast below (which is dangerous, as now this will be put in a .rodata section and Qt might try to write it)

    promag commented at 11:26 am on August 10, 2019:

    these can be inside the function scope

    What function? Constructor?


    promag commented at 11:28 am on August 10, 2019:
    My suggestion is to make the constructor private and add a static BitcoinApplication::create() where you could declare a temporary static argc and argv and the app.

    hebasto commented at 11:41 am on August 10, 2019:

    Please note:

    Warning: The data referred to by argc and argv must stay valid for the entire lifetime of the QCoreApplication object.


    achow101 commented at 5:11 pm on August 10, 2019:
    * if you remove the `const` here, you don't need to `const_cast` below (which is dangerous, as now this will be put in a `.rodata` section and Qt might try to write it)
    

    GCC complains if it is non const.

    0warning: ISO C++ forbids converting a string constant to char* [-Wwrite-strings]
    

    achow101 commented at 5:39 pm on August 10, 2019:

    My suggestion is to make the constructor private and add a static BitcoinApplication::create() where you could declare a temporary static argc and argv and the app.

    That requires a copy constructor, and QApplication does not have one. Qt explicitly does not want things to be copied.


    hebasto commented at 7:03 pm on August 10, 2019:

    GCC complains if it is non const.

    Could be:

    0static char qt_arg[] = "bitcoin-qt";
    1static char* qt_argv = qt_arg;
    

    ?


    laanwj commented at 9:28 am on August 12, 2019:

    That requires a copy constructor, and QApplication does not have one. Qt explicitly does not want things to be copied.

    Eh, whatever you do, please don’t copy around QApplication objects, even if you could. It’s a singleton. It’s also definitely not necessary to solve this.

  10. laanwj commented at 11:10 am on August 10, 2019: member
    Concept ACK
  11. hebasto commented at 11:42 am on August 10, 2019: member
    Concept ACK
  12. laanwj commented at 11:44 am on August 10, 2019: member
    @hebasto that’s why the variables are static, it holds just as true for static variables within a function scope
  13. fanquake commented at 11:47 am on August 10, 2019: member
    Concept ACK
  14. practicalswift commented at 6:13 pm on August 10, 2019: contributor
    Concept ACK: smaller attack surface is better.
  15. jonasschnelli commented at 7:15 pm on August 10, 2019: contributor
    Concept ACK. Codewise, I agree with @laanwj that casting const away and passing it to QApplication seems unfortunate.
  16. promag commented at 7:35 pm on August 10, 2019: member

    How about this

     0diff --git a/src/qt/bitcoin.cpp b/src/qt/bitcoin.cpp
     1index 5ce4f3c19..f38235b15 100644
     2--- a/src/qt/bitcoin.cpp
     3+++ b/src/qt/bitcoin.cpp
     4@@ -169,11 +169,8 @@ void BitcoinCore::shutdown()
     5     }
     6 }
     7
     8-static int qt_argc = 1;
     9-static const char* qt_argv = "bitcoin-qt";
    10-
    11 BitcoinApplication::BitcoinApplication(interfaces::Node& node):
    12-    QApplication(qt_argc, const_cast<char **>(&qt_argv)),
    13+    QApplication(argc, const_cast<char **>(&argv)),
    14     coreThread(nullptr),
    15     m_node(node),
    16     optionsModel(nullptr),
    17diff --git a/src/qt/bitcoin.h b/src/qt/bitcoin.h
    18index 3869193a3..d8b7f3b36 100644
    19--- a/src/qt/bitcoin.h
    20+++ b/src/qt/bitcoin.h
    21@@ -55,6 +55,10 @@ private:
    22 class BitcoinApplication: public QApplication
    23 {
    24     Q_OBJECT
    25+
    26+    // Some wild comment here...
    27+    int argc{1};
    28+    const char* argv{"bitcoin-qt"};
    29 public:
    30     explicit BitcoinApplication(interfaces::Node& node);
    31     ~BitcoinApplication();
    
  17. achow101 commented at 8:08 pm on August 10, 2019: member

    How about this

    Results in a segfault.


    FWIW, making the argv const and then casting it is how QCoreApplication does it internally when you say argc is 0. The only reason that I did not choose to just do QApplication(0, 0) is because it results in the warning QSettings::value: Empty key passed being printed a couple of times (at least for me using KDE, this might actually just be a KDE thing).

  18. fanquake added this to the milestone 0.19.0 on Aug 12, 2019
  19. laanwj commented at 10:48 am on August 14, 2019: member

    @achow101 But why add the const at all if you’re going to cast it away?

    Edit: oh, because of the string constant. I get it, the string is read-only, which is fine, Qt is not going to change the contents of arguments, but the array needs to be writable as it might remove arguments.

  20. laanwj commented at 10:51 am on August 14, 2019: member
    ACK a2714a5c69f0b0506689af04c3e785f71ee0915d
  21. hebasto commented at 10:54 am on August 14, 2019: member
    Technically, there is a solution without const.
  22. achow101 commented at 5:46 pm on August 14, 2019: member

    Technically, there is a solution without const.

    I’m going to leave it as is. I feel that doing the same thing that Qt does internally is safe and there’s no reason that we should not follow suit.

  23. hebasto commented at 5:55 pm on August 14, 2019: member

    FWIW, making the argv const and then casting it is how QCoreApplication does it internally when you say argc is 0.

    Indeed.

    ACK a2714a5c69f0b0506689af04c3e785f71ee0915d

  24. fanquake approved
  25. fanquake commented at 7:19 am on August 15, 2019: member
    ACK a2714a5c69f0b0506689af04c3e785f71ee0915d - Have tested that arguments like -reverse are no longer being passed through and result in an error.
  26. fanquake merged this on Aug 15, 2019
  27. fanquake closed this on Aug 15, 2019

  28. fanquake referenced this in commit 8fc7f0cba9 on Aug 15, 2019
  29. fanquake referenced this in commit 41a96ae28a on Aug 15, 2019
  30. fanquake commented at 8:47 am on August 15, 2019: member
    Added for backport in #16617.
  31. sidhujag referenced this in commit 371b53afb9 on Aug 17, 2019
  32. luke-jr commented at 7:16 pm on August 23, 2019: member
    Some of these options are useful…
  33. luke-jr commented at 7:28 pm on August 23, 2019: member

    Examples of options users should be free to use/play with:

    • -style= style, sets the application GUI style. Possible values are motif, windows, and platinum. If you compiled Qt with additional styles or have additional styles as plugins these will be available to the -style command line option.
    • -style style, is the same as listed above.
    • -stylesheet= stylesheet, sets the application styleSheet. The value must be a path to a file that contains the Style Sheet.
    • -reverse, sets the application’s layout direction to Qt::RightToLeft
    • -graphicssystem, sets the backend to be used for on-screen widgets and QPixmaps. Available options are raster and opengl.
    • -display display, sets the X display (default is $DISPLAY).
    • -geometry geometry, sets the client geometry of the first window that is shown.
    • -fn or -font font, defines the application font. The font should be specified using an X logical font description. Note that this option is ignored when Qt is built with fontconfig support enabled.
    • -bg or -background color, sets the default background color and an application palette (light and dark shades are calculated).
    • -fg or -foreground color, sets the default foreground color.
    • -btn or -button color, sets the default button color.
    • -visual TrueColor, forces the application to use a TrueColor visual on an 8-bit display.
    • -ncols count, limits the number of colors allocated in the color cube on an 8-bit display, if the application is using the QApplication::ManyColor color specification. If count is 216 then a 6x6x6 color cube is used (i.e. 6 levels of red, 6 of green, and 6 of blue); for other values, a cube approximately proportional to a 2x3x1 cube is used.
    • -cmap, causes the application to install a private color map on an 8-bit display.
    • -im, sets the input method server (equivalent to setting the XMODIFIERS environment variable)
    • -inputstyle, defines how the input is inserted into the given widget, e.g., onTheSpot makes the input appear directly in the widget, while overTheSpot makes the input appear in a box floating over the widget and is not inserted until the editing is done.

    Some of these (eg, -display) are standard options for GUI applications that we don’t independently implement. Future versions of Qt may add more useful options.

  34. fanquake referenced this in commit 11246fef1f on Aug 24, 2019
  35. luke-jr referenced this in commit 9a457df53a on Sep 3, 2019
  36. ryanofsky commented at 8:58 pm on September 11, 2019: member

    This change broke the ability to run GUI tests while seeing actions onscreen:

    https://github.com/bitcoin/bitcoin/blob/2324aa1dc409e9496b7083aaef5fcb20849f33c0/src/qt/test/wallettests.cpp#L126-L128

    Without being able to set the platform, it’s not really possible to write new interactive tests or debug existing ones. I could try to figure out a workaround, maybe using different styles of argument passing for the test program and main program, or maybe implementing some new mechanism for choosing the qt backend other than the standard one…

    But honestly I don’t find this PR to be very well motivated to begin with, and I wonder if there would be practical downsides to just reverting it. I don’t want to step on anybody’s toes, but I don’t understand where the motivation for this change originally came from and if there are security concerns other than the non-specific “larger attack surface” one cited in comments.

    I’d like to know if it’d be ok to submit a PR reverting this change, or if another approach would be suggested.

  37. laanwj commented at 5:45 am on September 12, 2019: member

    What about QT_QPA_PLATFORM or one of the other environment variables?

    the non-specific “larger attack surface” one cited in comments

    We don’t want to be too specific about this yet.

  38. fanquake referenced this in commit 56815e9e12 on Sep 23, 2019
  39. Sjors commented at 5:06 pm on October 1, 2019: member
    I made an issue about the test_bitcoin-qt -platform cocoa: #17013. I see @ryanofsky already spotted it. A QT_QPA_PLATFORM environment variable works for me.
  40. Sjors commented at 4:14 pm on October 2, 2019: member
    This also breaks the URI handler on macOS, but only when opening from the command line, not when opening from a browser. See #17025.
  41. laanwj referenced this in commit 29d70264fb on Nov 25, 2019
  42. jasonbcox referenced this in commit 6178d57da2 on Oct 2, 2020
  43. achow101 commented at 4:33 pm on February 1, 2021: member

    Disclosure of the vulnerability this PR fixes: https://achow101.com/2021/02/0.18-uri-vuln

    A possible followup now that this is public would be to explicitly allow safe Qt arguments instead of flatly disabling all of them.

  44. practicalswift commented at 8:49 am on February 2, 2021: contributor
    @achow101 Very nice find and thanks for sharing! Has this one been assigned a CVE yet?
  45. hebasto commented at 10:39 pm on March 30, 2021: member

    Has this one been assigned a CVE yet?

    CVE-2021-3401

  46. DeckerSU referenced this in commit 028774f91e on Jun 26, 2021
  47. fdoving referenced this in commit e258ec008a on Nov 3, 2021
  48. fdoving referenced this in commit d635c369db on Nov 3, 2021
  49. fdoving referenced this in commit 6c62408f6b on Nov 3, 2021
  50. fdoving referenced this in commit 709c17e4d5 on Nov 5, 2021
  51. Munkybooty referenced this in commit 1bd0c9a372 on Nov 25, 2021
  52. Munkybooty referenced this in commit 7b8ddda8ea on Nov 30, 2021
  53. hans-schmidt referenced this in commit 67229997ee on Feb 9, 2022
  54. DrahtBot locked this on Aug 16, 2022

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-18 18:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me