[QGIS-Developer] Mitigating security risks of the Official Plugin Repository

Alessandro Pasotti apasotti at gmail.com
Thu Jan 25 01:40:40 PST 2018


On Thu, Jan 25, 2018 at 2:13 AM, Daniel Silk <dsilk at linz.govt.nz> wrote:

> Hi all
>
> I am currently involved in rolling QGIS 2.18 out in a corporate
> environment. The security risk of a user installing a malicious plugin from
> the Official Plugin Repository has come up.
>
> While we can ensure our corporate plugin repository is immediately visible
> to all corporate users via a startup.py script, it appears that we:
> - cannot remove the Official Plugin Repository from the repository list
> (due to https://github.com/qgis/QGIS/blob/release-2_18/python/pyplug
> in_installer/installer_data.py#L316-L326)
> - cannot disable the Official Plugin Repository via Python API (and the
> user would just be able to enable via the Plugin Manager interface anyway)
> - cannot set the Plugin Manager interface to only show trusted plugins
> - cannot set the url parameters to include trusted=true as the url params
> are hardcoded: https://github.com/qgis/QGIS/b
> lob/release-2_18/python/pyplugin_installer/installer_data.py#L228
>
> So is there any other way to remove the Official Plugin Repository or
> limit the plugins that we allow users to view and install?
>


Not for QGIS 2.x sorry, QGIS 3 QgsSettings global settings allow to
customize installations for deployment on organizations but it was
introduced in QGIS 3 only.


-- 
Alessandro Pasotti
w3:   www.itopen.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20180125/a87caecd/attachment.html>


More information about the QGIS-Developer mailing list