Do not pass in command line arguments to QApplication #16578
Conversation
QApplication takes the command line arguments and parses them itself for some built in command line arguments that it has. We don't want any of those built in arguments, so instead give it dummy arguments.
Care to explain why? |
They can do unexpected things and cause issues. Qt can also just add more arguments that do other stuff. We have a larger attack surface by allowing this. |
|
@theuni might want to comment here, as he was asking about if the changes in #16386 would |
| BitcoinApplication::BitcoinApplication(interfaces::Node& node, int &argc, char **argv): | ||
| QApplication(argc, argv), | ||
| static int qt_argc = 1; | ||
| static const char* qt_argv = "bitcoin-qt"; |
There was a problem hiding this comment.
- these can be inside the function scope
- if you remove the
consthere, you don't need toconst_castbelow (which is dangerous, as now this will be put in a.rodatasection and Qt might try to write it)
There was a problem hiding this comment.
these can be inside the function scope
What function? Constructor?
There was a problem hiding this comment.
My suggestion is to make the constructor private and add a static BitcoinApplication::create() where you could declare a temporary static argc and argv and the app.
There was a problem hiding this comment.
Please note:
Warning: The data referred to by argc and argv must stay valid for the entire lifetime of the
QCoreApplicationobject.
There was a problem hiding this comment.
* if you remove the `const` here, you don't need to `const_cast` below (which is dangerous, as now this will be put in a `.rodata` section and Qt might try to write it)
GCC complains if it is non const.
warning: ISO C++ forbids converting a string constant to ‘char*’ [-Wwrite-strings]
There was a problem hiding this comment.
My suggestion is to make the constructor private and add a
static BitcoinApplication::create()where you could declare atemporarystatic argc and argv and the app.
That requires a copy constructor, and QApplication does not have one. Qt explicitly does not want things to be copied.
There was a problem hiding this comment.
GCC complains if it is non const.
Could be:
| static const char* qt_argv = "bitcoin-qt"; | |
| static char qt_arg[] = "bitcoin-qt"; | |
| static char* qt_argv = qt_arg; |
?
There was a problem hiding this comment.
That requires a copy constructor, and QApplication does not have one. Qt explicitly does not want things to be copied.
Eh, whatever you do, please don't copy around QApplication objects, even if you could. It's a singleton.
It's also definitely not necessary to solve this.
|
Concept ACK |
| BitcoinApplication::BitcoinApplication(interfaces::Node& node, int &argc, char **argv): | ||
| QApplication(argc, argv), | ||
| static int qt_argc = 1; | ||
| static const char* qt_argv = "bitcoin-qt"; |
There was a problem hiding this comment.
Please note:
Warning: The data referred to by argc and argv must stay valid for the entire lifetime of the
QCoreApplicationobject.
|
@hebasto that's why the variables are |
|
Concept ACK |
|
Concept ACK: smaller attack surface is better. |
|
Concept ACK. |
|
How about this diff --git a/src/qt/bitcoin.cpp b/src/qt/bitcoin.cpp
index 5ce4f3c19..f38235b15 100644
--- a/src/qt/bitcoin.cpp
+++ b/src/qt/bitcoin.cpp
@@ -169,11 +169,8 @@ void BitcoinCore::shutdown()
}
}
-static int qt_argc = 1;
-static const char* qt_argv = "bitcoin-qt";
-
BitcoinApplication::BitcoinApplication(interfaces::Node& node):
- QApplication(qt_argc, const_cast<char **>(&qt_argv)),
+ QApplication(argc, const_cast<char **>(&argv)),
coreThread(nullptr),
m_node(node),
optionsModel(nullptr),
diff --git a/src/qt/bitcoin.h b/src/qt/bitcoin.h
index 3869193a3..d8b7f3b36 100644
--- a/src/qt/bitcoin.h
+++ b/src/qt/bitcoin.h
@@ -55,6 +55,10 @@ private:
class BitcoinApplication: public QApplication
{
Q_OBJECT
+
+ // Some wild comment here...
+ int argc{1};
+ const char* argv{"bitcoin-qt"};
public:
explicit BitcoinApplication(interfaces::Node& node);
~BitcoinApplication(); |
Results in a segfault. FWIW, making the |
|
@achow101 Edit: oh, because of the string constant. I get it, the string is read-only, which is fine, Qt is not going to change the contents of arguments, but the array needs to be writable as it might remove arguments. |
|
ACK a2714a5 |
|
Technically, there is a solution without |
I'm going to leave it as is. I feel that doing the same thing that Qt does internally is safe and there's no reason that we should not follow suit. |
Indeed. ACK a2714a5 |
a2714a5 Give QApplication dummy arguments (Andrew Chow) Pull request description: QApplication takes the command line arguments and parses them itself for some [built in command line arguments](https://doc.qt.io/qt-5/qapplication.html#QApplication) that it has. We don't want any of those built in arguments, so instead give it dummy arguments. To test, you can use the `-reverse` option. Without this patch, everything will appear right-to-left; things that were on the left side will be on the right and everything is right aligned. After this patch, `-reverse` will now give a startup error since we do not support this argument. ACKs for top commit: laanwj: ACK a2714a5 hebasto: ACK a2714a5 fanquake: ACK a2714a5 - Have tested that arguments like `-reverse` are no longer being passed through and result in an error. Tree-SHA512: 983bd948ca6999f895b6662b58c37e33af7ed61fdd600c6b4623febb87ec06a92c66e3b3300783530110cc711902793ef82d751d7f563696c4c3a8416b2b1f51
|
Added for backport in #16617. |
…ation a2714a5 Give QApplication dummy arguments (Andrew Chow) Pull request description: QApplication takes the command line arguments and parses them itself for some [built in command line arguments](https://doc.qt.io/qt-5/qapplication.html#QApplication) that it has. We don't want any of those built in arguments, so instead give it dummy arguments. To test, you can use the `-reverse` option. Without this patch, everything will appear right-to-left; things that were on the left side will be on the right and everything is right aligned. After this patch, `-reverse` will now give a startup error since we do not support this argument. ACKs for top commit: laanwj: ACK a2714a5 hebasto: ACK a2714a5 fanquake: ACK a2714a5 - Have tested that arguments like `-reverse` are no longer being passed through and result in an error. Tree-SHA512: 983bd948ca6999f895b6662b58c37e33af7ed61fdd600c6b4623febb87ec06a92c66e3b3300783530110cc711902793ef82d751d7f563696c4c3a8416b2b1f51
|
What about
We don't want to be too specific about this yet. |
QApplication takes the command line arguments and parses them itself for some built in command line arguments that it has. We don't want any of those built in arguments, so instead give it dummy arguments. Github-Pull: bitcoin#16578 Rebased-From: a2714a5
|
I made an issue about the |
|
This also breaks the URI handler on macOS, but only when opening from the command line, not when opening from a browser. See #17025. |
0b18ea6 util: Filter control characters out of log messages (Wladimir J. van der Laan) ac30fc4 build: Factor out qt translations from build system (Wladimir J. van der Laan) 3b8af5f build: update boost macros to latest upstream (fanquake) b12defc Test that joinpsbts randomly shuffles the inputs (Andrew Chow) eb07d22 Shuffle inputs and outputs after joining psbts (Andrew Chow) 1175410 addrdb: Remove temporary files created in SerializeFileDB. Fixes non-determinism in unit tests. (practicalswift) c52dd12 Handle the result of posix_fallocate system call (Luca Venturini) f792b25 torcontrol: Use the default/standard network port for Tor hidden services, even if the internal port is set differently (Luke Dashjr) 9fe8d28 Bugfix: QA: Run tests with UPnP disabled (Luke Dashjr) 1d12e52 Add vertical spacer (Josu Goñi) d764141 depends: add patch to common dependencies (fanquake) 56815e9 Give QApplication dummy arguments (Andrew Chow) 9d389d0 util: No translation of `Bitcoin Core` in the copyright (MarcoFalke) 87908e9 scripted-diff: Avoid passing PACKAGE_NAME for translation (MarcoFalke) a44e18f build: Stop translating PACKAGE_NAME (MarcoFalke) 7bd8f4e rpc: Fix getblocktemplate CLI example (#16594) (Emil Engler) 1cc06a1 doc: Fix typos in COPYRIGHT (Chuf) Pull request description: Backports some commits to the `0.18` branch: * #16596 - rpc: Fix getblocktemplate CLI example * #16615 - doc: Fix typos in COPYRIGHT * #16291 - gui: Stop translating PACKAGE_NAME (without the `make translate` commit) * #16578 - Do not pass in command line arguments to QApplication * #16051 - depends: add patch to common dependencies * #16090 - Add vertical spacer * #15651 - torcontrol: Use the default/standard network port for Tor hidden services, even if the internal port is set differently * #15650 - Handle the result of posix_fallocate system call * #16646 - Bugfix: QA: Run tests with UPnP disabled * #16212 - addrdb: Remove temporary files created in SerializeFileDB. Fixes non-determinism in unit tests. * #16512 - rpc: Shuffle inputs and outputs after joining psbts * #16870 - build: update boost macros to latest upstream for improved error reporting * #16982 - build: Factor out qt translations from build system * #17095 - util: Filter control characters out of log messages ACKs for top commit: laanwj: ACK 0b18ea6 Tree-SHA512: 37f0e5afc20975f4d1506e8662eda2ae0125f2f424a852818b5af2c3b8db78fc1c365b83571aa80ca63c885ca314302190b891a50ff3851fda9b9238455a5627
Summary: a2714a5c69f0b0506689af04c3e785f71ee0915d Give QApplication dummy arguments (Andrew Chow) Pull request description: QApplication takes the command line arguments and parses them itself for some [built in command line arguments](https://doc.qt.io/qt-5/qapplication.html#QApplication) that it has. We don't want any of those built in arguments, so instead give it dummy arguments. To test, you can use the `-reverse` option. Without this patch, everything will appear right-to-left; things that were on the left side will be on the right and everything is right aligned. After this patch, `-reverse` will now give a startup error since we do not support this argument. --- Backport of Core [[bitcoin/bitcoin#16578 | PR16578]] Test Plan: ninja all check check-functional Check that `bitcoin-qt -reverse -regtest` gives an error with this patch and reverses the GUI without i.t Reviewers: #bitcoin_abc, jasonbcox Reviewed By: #bitcoin_abc, jasonbcox Subscribers: jasonbcox Differential Revision: https://reviews.bitcoinabc.org/D7747
|
Disclosure of the vulnerability this PR fixes: https://achow101.com/2021/02/0.18-uri-vuln A possible followup now that this is public would be to explicitly allow safe Qt arguments instead of flatly disabling all of them. |
|
@achow101 Very nice find and thanks for sharing! Has this one been assigned a CVE yet? |
|
- bitcoin/bitcoin#16578 - https://achow101.com/2021/02/0.18-uri-vuln (CVE-2021-3401) - https://www.twitch.tv/videos/897351419 p.s. about explicit constructor for KomodoApplication class, according C++ Standart 12.3.1 "a default constructor may be an explicit constructor", so, let it be here as is (with explicit keyword).
Fixes URI Argument Injection in Ravencoin-Qt
Ref: https://achow101.com/2021/02/0.18-uri-vuln
Ref: bitcoin/bitcoin#16578
Fixes URI Argument Injection in Ravencoin-Qt
Ref: https://achow101.com/2021/02/0.18-uri-vuln
Ref: bitcoin/bitcoin#16578
Fixes URI Argument Injection in Ravencoin-Qt
Ref: https://achow101.com/2021/02/0.18-uri-vuln
Ref: bitcoin/bitcoin#16578
Fixes URI Argument Injection in Ravencoin-Qt
Ref: https://achow101.com/2021/02/0.18-uri-vuln
Ref: bitcoin/bitcoin#16578
…ation a2714a5 Give QApplication dummy arguments (Andrew Chow) Pull request description: QApplication takes the command line arguments and parses them itself for some [built in command line arguments](https://doc.qt.io/qt-5/qapplication.html#QApplication) that it has. We don't want any of those built in arguments, so instead give it dummy arguments. To test, you can use the `-reverse` option. Without this patch, everything will appear right-to-left; things that were on the left side will be on the right and everything is right aligned. After this patch, `-reverse` will now give a startup error since we do not support this argument. ACKs for top commit: laanwj: ACK a2714a5 hebasto: ACK a2714a5 fanquake: ACK a2714a5 - Have tested that arguments like `-reverse` are no longer being passed through and result in an error. Tree-SHA512: 983bd948ca6999f895b6662b58c37e33af7ed61fdd600c6b4623febb87ec06a92c66e3b3300783530110cc711902793ef82d751d7f563696c4c3a8416b2b1f51
Fixes URI Argument Injection in Ravencoin-Qt
Ref: https://achow101.com/2021/02/0.18-uri-vuln
Ref: bitcoin/bitcoin#16578
11 participants
QApplication takes the command line arguments and parses them itself for some built in command line arguments that it has. We don't want any of those built in arguments, so instead give it dummy arguments.
To test, you can use the
-reverseoption. Without this patch, everything will appear right-to-left; things that were on the left side will be on the right and everything is right aligned.After this patch,
-reversewill now give a startup error since we do not support this argument.