Fix Windows saving token.

It is still unsafe.
This commit is contained in:
Black Hat 2018-09-17 12:27:00 +08:00
parent 5ca03fdea8
commit 518fad088f
1 changed files with 2 additions and 23 deletions

View File

@ -121,16 +121,6 @@ void Controller::invokeLogin() {
AccountSettings account{accountId}; AccountSettings account{accountId};
if (!account.homeserver().isEmpty()) { if (!account.homeserver().isEmpty()) {
auto accessToken = loadAccessToken(account); auto accessToken = loadAccessToken(account);
if (accessToken.isEmpty()) {
// Try to look in the legacy location (QSettings) and if found,
// migrate it from there to a file.
accessToken = account.accessToken().toLatin1();
if (accessToken.isEmpty())
continue; // No access token anywhere, no autologin
saveAccessToken(account, accessToken);
account.clearAccessToken(); // Clean the old place
}
auto c = new Connection(account.homeserver(), this); auto c = new Connection(account.homeserver(), this);
auto deviceName = account.deviceName(); auto deviceName = account.deviceName();
@ -170,20 +160,9 @@ bool Controller::saveAccessToken(const AccountSettings& account,
accountTokenFile.open(QFile::WriteOnly))) { accountTokenFile.open(QFile::WriteOnly))) {
emit errorOccured("Cannot save access token."); emit errorOccured("Cannot save access token.");
} else { } else {
// Try to restrict access rights to the file. The below is useless
// on Windows: FAT doesn't control access at all and NTFS is
// incompatible with the UNIX perms model used by Qt. If the attempt
// didn't have the effect, at least ask the user if it's fine to save
// the token to a file readable by others.
// TODO: use system-specific API to ensure proper access.
if ((accountTokenFile.setPermissions(QFile::ReadOwner |
QFile::WriteOwner) &&
!(accountTokenFile.permissions() &
(QFile::ReadGroup | QFile::ReadOther)))) {
accountTokenFile.write(accessToken); accountTokenFile.write(accessToken);
return true; return true;
} }
}
return false; return false;
} }