diff options
| author | Erin of Yukis <[email protected]> | 2025-10-10 19:04:44 +0200 |
|---|---|---|
| committer | Mårten Nordheim <[email protected]> | 2025-12-14 22:00:57 +0000 |
| commit | fb9f4444fa716f6aa93d3d13d3037b30c005d7a7 (patch) | |
| tree | 6044be6aaa465e75d8a12bd3b0377562ce9d4ff3 /src | |
| parent | 2d65847d6473ef164f61f7cc2257387f41cd5efc (diff) | |
QTlsBackendOpenSSL: do not use broken symlinks as cert paths
The QTls OpenSSL backend on Unix should ignore any broken symlinks
encountered rather than attempting to add the empty certificate path
generated after path canonicalization to the list of trusted system
certificates.
Current Qt code rejects such empty paths due to using
`QSslCertificate::fromFile`, but Qt 6.9- instead used
`QSslCertificate::fromPath` which (before Qt 6.9.2) used to interpret
an empty path to mean “add everything below the current working
directory as potential certificate”!
On all newer versions this only avoids unnecessarily adding an empty
path to the list of certificates.
Change-Id: I94136b33670be2fa42531fc3c74db432bad67f4a
Pick-to: 6.11 6.10
Reviewed-by: Mårten Nordheim <[email protected]>
Diffstat (limited to 'src')
| -rw-r--r-- | src/plugins/tls/openssl/qtlsbackend_openssl.cpp | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/plugins/tls/openssl/qtlsbackend_openssl.cpp b/src/plugins/tls/openssl/qtlsbackend_openssl.cpp index deb257be01c..d3b7d669ec7 100644 --- a/src/plugins/tls/openssl/qtlsbackend_openssl.cpp +++ b/src/plugins/tls/openssl/qtlsbackend_openssl.cpp @@ -407,8 +407,13 @@ QList<QSslCertificate> systemCaCertificates() for (const QByteArray &directory : directories) { for (const auto &dirEntry : QDirListing(QFile::decodeName(directory), flags)) { // use canonical path here to not load the same certificate twice if symlinked - if (hasMatchingExtension(dirEntry.fileName())) - certFiles.insert(dirEntry.canonicalFilePath()); + if (hasMatchingExtension(dirEntry.fileName())) { + QString canonicalPath = dirEntry.canonicalFilePath(); + // skip broken symlinks to not end up adding "" to the list which will then + // just be rejected by `QSslCertificate::fromFile` + if (!canonicalPath.isEmpty()) + certFiles.insert(canonicalPath); + } } } for (const QString& file : std::as_const(certFiles)) |