D6673: [Notifications] Manually remove remote images
Kai Uwe Broulik
noreply at phabricator.kde.org
Thu Jul 13 09:55:49 UTC 2017
broulik created this revision.
Restricted Application added a project: Plasma.
Restricted Application added a subscriber: plasma-devel.
REVISION SUMMARY
We allow HTML in Notifications and QtQuick Text will even load remote images which poses a privacy threat.
The network access manager factory we install is ineffective as Plasma uses a shared engine nowadays and whenever a new QmlObject shared engine is created, its setupBindings will re-install the KIO access factory.
TEST PLAN
5.8 branch on Fabian's request as this is a security issue
Can no longer cause network requests by sending a notification with `<img src="http://...">` or `<span style="background: url(http://...)">`.
(Btw I noticed that setupBindings is called >100 times on Plasma startup, setting up the very same QML engine over and over again, including creating a KIO NAM factory, KLocalizedContext and KIcon image provider)
REPOSITORY
R120 Plasma Workspace
REVISION DETAIL
https://phabricator.kde.org/D6673
AFFECTED FILES
applets/notifications/package/contents/ui/NotificationItem.qml
applets/notifications/plugin/CMakeLists.txt
applets/notifications/plugin/notificationshelperplugin.cpp
applets/notifications/plugin/notificationshelperplugin.h
applets/notifications/plugin/textsanitizer.cpp
applets/notifications/plugin/textsanitizer.h
To: broulik, #plasma, fvogt
Cc: plasma-devel, ZrenBot, progwolff, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart, lukas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20170713/e9eeb84d/attachment-0001.html>
More information about the Plasma-devel
mailing list