Summary: | XSS In System Settings Module | ||
---|---|---|---|
Product: | [Plasma] plasma-nm | Reporter: | Czarek Nakamoto <mrcyjanek> |
Component: | kcm | Assignee: | Jan Grulich <jgrulich> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | jakub.skrzypnik, kde, nate |
Priority: | HI | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Kubuntu | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | 5.12.10 | |
Attachments: |
It shows an xss
This appear after inputting incorrect password This appear after when I tried to delete network. This appear after connecting to network as a notification |
Description
Czarek Nakamoto
2020-02-21 10:16:44 UTC
Affects me as well, allows to put arbitrary code in here, even a YouTube video. Most likely the scope is wider than network lists and might apply to other system dialog boxes. KDE version: 5.18.1 KDE frameworks version: 5.67.0 QT version: 5.14.1 Created attachment 126250 [details]
This appear after inputting incorrect password
Created attachment 126251 [details]
This appear after when I tried to delete network.
Created attachment 126252 [details]
This appear after connecting to network as a notification
Note you are limited in what you can script, you have: https://doc.qt.io/archives/qt-4.8/richtext-html-subset.html It's not of anywhere near the same severity as a website. But yeah it, should be fixed anyway. I'm not sure how templating/formatting strings with external data is being done in this particular case, but shouldn't there be a sanitization/stripping step before parsing them in UI? But saying it that way, the bug might be probably pushed on Qt upstream. You can't sanitize them. Sanitize and put them on a QPushButton or a table, you're now rendering & or whatever in your text instead of correct characters Don't sanitize and put in a label and you have this issue. See: D27545, D27542, D27541, D27543 Git commit fb1a8474651ef1ab5861b9221e41ff56e3d814e6 by David Edmundson. Committed on 21/02/2020 at 12:37. Pushed by davidedmundson into branch 'Plasma/5.12'. Set all labels to plain text Reviewers: #plasma, jgrulich Reviewed By: jgrulich Subscribers: jgrulich, plasma-devel Tags: #plasma Differential Revision: https://phabricator.kde.org/D27543 M +3 -0 src/kcmodule/devices/devicedetails.ui M +2 -2 src/kded/helpers/requestauthorization.cpp M +2 -2 src/kded/helpers/requestconfirmation.cpp M +2 -2 src/kded/helpers/requestpin.cpp M +2 -2 src/kded/receivefilejob.cpp M +5 -1 src/sendfile/pages/connecting.ui M +3 -0 src/sendfile/pages/failpage.ui M +3 -0 src/wizard/pages/fail.ui M +5 -1 src/wizard/pages/pairing.ui M +3 -0 src/wizard/pages/success.ui https://commits.kde.org/bluedevil/fb1a8474651ef1ab5861b9221e41ff56e3d814e6 Git commit 762504196246af2947a3a113f1a57fac7942aab0 by David Edmundson. Committed on 21/02/2020 at 12:41. Pushed by davidedmundson into branch 'Plasma/5.12'. [kded] Set password dialog boxes to plaintext Summary: CCBUG: 417980 Reviewers: #plasma, jgrulich Reviewed By: jgrulich Subscribers: plasma-devel Tags: #plasma Differential Revision: https://phabricator.kde.org/D27541 M +6 -0 kded/passworddialog.ui https://commits.kde.org/plasma-nm/762504196246af2947a3a113f1a57fac7942aab0 Given the fix can't be universal, there is a chance we have missed some locations. Please do comment on bugzilla if new occurences are found. Also please see https://kde.org/info/security/ in future. |