[QGIS-Developer] Mitigating security risks of the Official Plugin Repository
Luigi Pirelli
luipir at gmail.com
Thu Jan 25 01:38:00 PST 2018
Hi Daniel
as you can see reading the code in
https://github.com/qgis/QGIS/blob/release-2_18/python/pyplugin_installer/installer_data.py#L316-L326
repos are get from Settings (that you can install a custom one via
custom post install scripts) and repos are compared with officialRepo
array that is global scope var that you can and set via python
import pyplugin_installer
print pyplugin_installer.installer_data.officialRepo
(u'QGIS Official Plugin Repository',
'https://plugins.qgis.org/plugins/plugins.xml',
'https://plugins.qgis.org/plugins')
because it's python you can overload/alias almost everithing, also
that function that have hardcoded params
btw If you find useful an enhancement, please file a PR with you
general solution that can be useful to other users.
just my 2c because I never approached this problem...
Luigi Pirelli
**************************************************************************************************
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* Mastering QGIS 2nd Edition:
* https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
* Hire me: http://goo.gl/BYRQKg
**************************************************************************************************
On 25 January 2018 at 02:13, Daniel Silk <dsilk at linz.govt.nz> wrote:
> Hi all
>
> I am currently involved in rolling QGIS 2.18 out in a corporate environment. The security risk of a user installing a malicious plugin from the Official Plugin Repository has come up.
>
> While we can ensure our corporate plugin repository is immediately visible to all corporate users via a startup.py script, it appears that we:
> - cannot remove the Official Plugin Repository from the repository list (due to https://github.com/qgis/QGIS/blob/release-2_18/python/pyplugin_installer/installer_data.py#L316-L326)
> - cannot disable the Official Plugin Repository via Python API (and the user would just be able to enable via the Plugin Manager interface anyway)
> - cannot set the Plugin Manager interface to only show trusted plugins
> - cannot set the url parameters to include trusted=true as the url params are hardcoded: https://github.com/qgis/QGIS/blob/release-2_18/python/pyplugin_installer/installer_data.py#L228
>
> So is there any other way to remove the Official Plugin Repository or limit the plugins that we allow users to view and install?
>
> Thanks
> Daniel
>
> ________________________________
>
> This message contains information, which may be in confidence and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info at linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ. Thank You.
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
More information about the QGIS-Developer
mailing list