| Summary: | The rename dialog should show the file name as plain text | ||
|---|---|---|---|
| Product: | [Applications] dolphin | Reporter: | Suniobo <suniobo> |
| Component: | view-engine: general | Assignee: | Dolphin Bug Assignee <dolphin-bugs-null> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | emmanuelpescosta099, greycod3, mrdestruct0r |
| Priority: | NOR | Keywords: | junior-jobs, reproducible |
| Version: | 2.0 | ||
| Target Milestone: | --- | ||
| Platform: | Debian testing | ||
| OS: | Linux | ||
| Latest Commit: | http://commits.kde.org/kde-baseapps/4e6d2d849a272fd0858b9f070659576b6af44827 | Version Fixed In: | 4.10 |
| Attachments: | Demonstration of HTML markup | ||
|
Description
Suniobo
2013-01-07 11:47:31 UTC
Created attachment 76271 [details]
Demonstration of HTML markup
Thanks for the bug report. I agree that this should be fixed, but I fail to see why this is a security bug. Note: In Dolphin >= 2.1, one has to disable inline renaming to reproduce the bug. > Thanks for the bug report. I agree that this should be fixed, but I fail to
> see why this is a security bug.
Frank, I don't exactly know if is possible to run arbitrary JavaScript through it. For example, if instead of HTML payload will consist of some piece of JavaScript.
(In reply to comment #3) > Frank, I don't exactly know if is possible to run arbitrary JavaScript > through it. I seriously doubt that a simple label will execute Javascript code, but feel free to try it and prove me wrong ;-) (In reply to comment #0) > Reproducible: Always > > Steps to Reproduce: > 1. Create file with name "><hr><h1>123.txt > 2. Try to rename it > Actual Results: > See HTML markup in rename dialog This bug is also valid for the metadata widget. (KDE 4.9.5) - Is it fixed in nepomuk-widgets? (In reply to comment #3) > > Thanks for the bug report. I agree that this should be fixed, but I fail to > > see why this is a security bug. > Frank, I don't exactly know if is possible to run arbitrary JavaScript > through it. For example, if instead of HTML payload will consist of some > piece of JavaScript. <a href="javascript:alert('evil js!')">click me</a> The popup doesn't appear when I click on the link (also tested with other javascript snippets) ... so I think, that the QLabel only parses html content, but doesn't execute js code. -> No file name XSS in Dolphin ;) Please correct me if I am wrong. (In reply to comment #6) > (In reply to comment #3) > > > Thanks for the bug report. I agree that this should be fixed, but I fail to > > > see why this is a security bug. > > Frank, I don't exactly know if is possible to run arbitrary JavaScript > > through it. For example, if instead of HTML payload will consist of some > > piece of JavaScript. > > <a href="javascript:alert('evil js!')">click me</a> > > The popup doesn't appear when I click on the link (also tested with other > javascript snippets) ... so I think, that the QLabel only parses html > content, but doesn't execute js code. -> No file name XSS in Dolphin ;) > Please correct me if I am wrong. Emmanuel, yes, looks like only pure HTML parsing exists. Furthermore it is not possible to render e.g. image. Git commit 4e6d2d849a272fd0858b9f070659576b6af44827 by Emmanuel Pescosta. Committed on 09/01/2013 at 16:17. Pushed by emmanuelp into branch 'KDE/4.10'. Show the file name as plain text in the rename dialog Related: bug 262464 FIXED-IN: 4.10 REVIEW: 108291 M +1 -0 dolphin/src/views/renamedialog.cpp http://commits.kde.org/kde-baseapps/4e6d2d849a272fd0858b9f070659576b6af44827 *** Bug 336729 has been marked as a duplicate of this bug. *** *** Bug 342278 has been marked as a duplicate of this bug. *** |