[QGIS-Developer] Mitigating security risks of the Official Plugin Repository

Daniel Silk dsilk at linz.govt.nz
Thu Jan 25 14:37:12 PST 2018


From: Luigi Pirelli [luipir at gmail.com]
Sent: Thursday, January 25, 2018 10:38 PM
To: Daniel Silk
Cc: qgis-developer at lists.osgeo.org
Subject: Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository

> as you can see reading the code in
> https://github.com/qgis/QGIS/blob/release-2_18/python/pyplugin_installer/installer_data.py#L316-L326
>
> repos are get from Settings (that you can install a custom one via
> custom post install scripts) and repos are compared with officialRepo
> array that is global scope var that you can and set via python
>
> import pyplugin_installer
> print pyplugin_installer.installer_data.officialRepo
> (u'QGIS Official Plugin Repository',
> 'https://plugins.qgis.org/plugins/plugins.xml',
> 'https://plugins.qgis.org/plugins')
>
> because it's python you can overload/alias almost everithing, also
> that function that have hardcoded params

Thanks Luigi,

If I do:

import pyplugin_installer

pyplugin_installer.installer_data.officialRepo = (
    QCoreApplication.translate(
        'QgsPluginInstaller',
        'QGIS Official Plugin Repository'),
    new_url,
    deprecated_url,
)

and also:

QSettings().setValue('Qgis/plugin-repos/QGIS Official Plugin Repository/url', new_url)

in my startup script then the official repository is successfully
replaced by our internal repository. Great!

> btw If you find useful an enhancement, please file a PR with you
> general solution that can be useful to other users.

If I submitted a PR that added a filter for trusted plugins similar to
the filters for experimental and deprecated plugins, could that only
be added to QGIS 3.2 (as a new feature)? Not 2.18?

Cheers
Daniel

________________________________

This message contains information, which may be in confidence and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info at linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ. Thank You.


More information about the QGIS-Developer mailing list