quickviewer icon indicating copy to clipboard operation
quickviewer copied to clipboard
verified publisher icon kanryu

Separate directory for config

Open zoidbergthepopularone opened this issue 7 years ago • 5 comments

Hi! Would it be possible to move the configuration files to a separate subdirectory? The current system is suboptimal from a security viewpoint, as in order to have QuickViewer fully functional I have to grant full write access to the application's main folder - which means that anyone can replace the executable with their own malicious one. If the config files rested in a subdirectory, only that subdirectory would have to be writeable, which would prevent that attack vector. And, incidentally, allowed me to move the directory somewhere else by the use of junctions...

zoidbergthepopularone avatar Apr 09 '18 19:04 zoidbergthepopularone

@zoidbergthepopularone QuickViewer is not expected to install in the Program Files folder. (Of course it is technically possible) It is assumed that you save it in your AppData folder, or save it in a USB memory etc. and carry it around.

kanryu avatar Apr 09 '18 23:04 kanryu

That's perfectly understandable. I wouldn't want it any other way. I am just asking you to move quickviewer.ini and progress.ini from X:\Whatever to X:\Whatever\config. Every other file can remain in X:\Whatever.

zoidbergthepopularone avatar Apr 10 '18 03:04 zoidbergthepopularone

I wanted to write the fix myself, but unfortunately I am unable to compile QuickViewer due to some Qt dependency that I don't know how to fix. I was actually able to compile Qt (and get something like 26 GB of object files in the process), but not QV. But the change seems really simple, perhaps you would be willing to incorporate it and build QV with your setup? As far as I can tell, it would be enough to modify file QuickViewer/src/models/kvapplication.cpp so that the function QVApplication::getFilePathOfApplicationSetting would read:

QString QVApplication::getFilePathOfApplicationSetting(QString subFilePath)
{
#ifdef Q_OS_WIN
    if(m_portable) {
    	QDir settingsSubDir = getApplicationFilePath(QString("%1/config").arg(subFilePath));
    	if (settingsSubDir.exists()) {
    	    return settingsSubDir;
    	}
        return getApplicationFilePath(subFilePath);
    } else {
        return QDir(QStandardPaths::writableLocation(QStandardPaths::DataLocation)).filePath(subFilePath);
    }
#else
    return getUserHomeFilePath(subFilePath);
#endif
}

instead of:

QString QVApplication::getFilePathOfApplicationSetting(QString subFilePath)
{
#ifdef Q_OS_WIN
    if(m_portable) {
        return getApplicationFilePath(subFilePath);
    } else {
        return QDir(QStandardPaths::writableLocation(QStandardPaths::DataLocation)).filePath(subFilePath);
    }
#else
    return getUserHomeFilePath(subFilePath);
#endif
}

zoidbergthepopularone avatar Nov 22 '21 17:11 zoidbergthepopularone

Thank you for your effort!

If your thoughts go this far, I think you can make a pull request to modify the source code. Fork this repository of mine to your account, create a branch with a new name, commit source code modifications and submit a pull request to my repository.

kanryu avatar Nov 23 '21 02:11 kanryu

I don't think it's such a great idea to create a pull request if I can't even test its correctness, but sure, I can do it: https://github.com/kanryu/quickviewer/pull/175

zoidbergthepopularone avatar Nov 23 '21 04:11 zoidbergthepopularone