1. 21 Aug, 2020 1 commit
    • Ahmad Samir's avatar
      Port KRun to OpenUrlJob and ApplicationLauncherJob · c4c765a9
      Ahmad Samir authored
      In BatchExtract, use QUrl::fromLocalFile to construct a url with the
      file:// scheme, so that the destination dir can be opened after the
      extraction is finished.
      
      Bump minimum KF version to 5.71 as that's where OpenUrlJob was introduced.
      c4c765a9
  2. 08 Aug, 2020 2 commits
  3. 05 Aug, 2020 3 commits
  4. 31 Jul, 2020 4 commits
  5. 29 Jul, 2020 2 commits
    • Elvis Angelaccio's avatar
      Merge branch 'release/20.08' · 9393b0d8
      Elvis Angelaccio authored
      9393b0d8
    • Elvis Angelaccio's avatar
      Fix vulnerability to path traversal attacks · 0df59252
      Elvis Angelaccio authored
      Ark was vulnerable to directory traversal attacks because of
      missing validation of file paths in the archive.
      
      More details about this attack are available at:
      https://github.com/snyk/zip-slip-vulnerability
      
      Job::onEntry() is the only place where we can safely check the path of
      every entry in the archive. There shouldn't be a valid reason
      to have a "../" in an archive path, so we can just play safe and abort
      the LoadJob if we detect such an entry. This makes impossibile to
      extract this kind of malicious archives and perform the attack.
      
      Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath()
      so that we can still allow loading of legitimate archives that
      contain "../" in their paths but still resolve inside the extraction folder.
      0df59252
  6. 22 Jul, 2020 2 commits
  7. 17 Jul, 2020 3 commits
  8. 11 Jul, 2020 3 commits
  9. 10 Jul, 2020 2 commits
  10. 03 Jul, 2020 3 commits
  11. 18 Jun, 2020 4 commits
  12. 17 Jun, 2020 4 commits
  13. 14 Jun, 2020 1 commit
  14. 13 Jun, 2020 1 commit
  15. 08 Jun, 2020 3 commits
  16. 02 Jun, 2020 2 commits