kdePackages.kio: allow loading admin worker from /nix/store

This does technically somewhat extend the trust boundary, but users with permissions to put things in the store can basically do anything they want anyway, so this should be fine(tm). Fixes #394540.
2025-03-30 10:36:46 +03:00 · 2025-03-30 10:36:46 +03:00 · 60b7349bdc
commit 60b7349bdc
parent 9da5a97dab
2 changed files with 22 additions and 0 deletions
--- a/pkgs/kde/frameworks/kio/allow-admin-from-store.patch
+++ b/pkgs/kde/frameworks/kio/allow-admin-from-store.patch
@ -0,0 +1,20 @@
+diff --git a/src/core/worker.cpp b/src/core/worker.cpp
+index da423731c..443c8db19 100644
+--- a/src/core/worker.cpp
+++ b/src/core/worker.cpp
+@@ -343,13 +343,13 @@ Worker *Worker::createWorker(const QString &protocol, const QUrl &url, int &erro
+         return nullptr;
+     }
+ 
+-    if (protocol == QLatin1String("admin") && !lib_path.startsWith(QLatin1String{KDE_INSTALL_FULL_KIO_PLUGINDIR})) {
+    if (protocol == QLatin1String("admin") && !lib_path.startsWith(QLatin1String("/nix/store"))) {
+         error_text = i18nc("@info %2 and %3 are paths",
+                            "The KIO worker for protocol “%1” in %2 was not loaded because all KIO workers which are located outside of %3 and ask for elevated "
+                            "privileges are considered insecure.",
+                            protocol,
+                            lib_path,
+-                           QLatin1String{KDE_INSTALL_FULL_KIO_PLUGINDIR});
+                           QLatin1String("/nix/store"));
+         error = KIO::ERR_CANNOT_CREATE_WORKER;
+         return nullptr;
+     }
--- a/pkgs/kde/frameworks/kio/default.nix
+++ b/pkgs/kde/frameworks/kio/default.nix
@ -11,6 +11,8 @@ mkKdeDerivation {
  patches = [
    # Remove hardcoded smbd search path
    ./0001-Remove-impure-smbd-search-path.patch
+    # Allow loading kio-admin from the store
+    ./allow-admin-from-store.patch
  ];

  extraBuildInputs = [