D10188: Sanitise notification HTML
Jason A. Donenfeld
noreply at phabricator.kde.org
Sun Feb 4 23:32:39 UTC 2018
zx2c4 reopened this revision.
zx2c4 added a comment.
This revision is now accepted and ready to land.
+ const QUrl url(src);
+ if (url.isLocalFile()) {
+ out.writeAttribute(QStringLiteral("src"), src);
+ } else {
+ //image denied for security reasons! Do not copy the image src here!
+ }
This probably isn't a good idea either, since a remote attacker can
specify any local path, which could have unintended consequences. It's
a nice way, for example, of expanding a remote memory access into a
remote file access (loading file into malloc'd buffers), causing
traffic on network-mapped file paths, or other mischief. Under no
circumstances should a remote user be allowed to supply an arbitrary
local file path.
I'd recommend entirely denying <img> tags, and instead provide
developers with some other API to show photos. I believe this already
exists, in fact.
If you absolutely must have <img> tags, then at least use an inline
data URI, though this of course has its own problems too.
REPOSITORY
R120 Plasma Workspace
REVISION DETAIL
https://phabricator.kde.org/D10188
To: davidedmundson, #plasma, fvogt
Cc: zx2c4, broulik, aacid, fvogt, plasma-devel, ZrenBot, progwolff, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20180204/baf95cb2/attachment.html>
More information about the Plasma-devel
mailing list