Bug 453248

Summary: Path traversal bugs when saving various resources
Product: [Applications] krita Reporter: Nagy Tibor <xnagytibor>
Component: Resource ManagementAssignee: Krita Bugs <krita-bugs-null>
Status: CONFIRMED ---    
Severity: normal CC: halla, myusualnickname
Priority: NOR    
Version First Reported In: 5.0.5   
Target Milestone: ---   
Platform: Neon   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Screen capture

Description Nagy Tibor 2022-05-01 04:36:50 UTC 
Created attachment 148484 [details]
Screen capture

SUMMARY
There's a path traversal bug when saving gradients in Krita. Krita doesn't sanitize the name field used for the file names of gradients, dropping files outside of the "$XDG_DATA_HOME/krita/gradients" directory.

Similar to Bug 429925.

I haven't tested it thoroughly but I have a feeling this bug may also be present with other resource types. (palettes, brushes, etc.)

STEPS TO REPRODUCE
1. Create or open a new document
2. Gradients toolbar button -> Add...
3. Enter "../../../../test/abcd" as the name field
4. Click OK

OBSERVED RESULT
See attachment.

EXPECTED RESULT
Sanitize the name field before using it as a file name.

SOFTWARE/OS VERSIONS
Operating System: KDE neon 5.24
KDE Plasma Version: 5.24.4
KDE Frameworks Version: 5.93.0
Qt Version: 5.15.3
Graphics Platform: X11
Comment 1 Nagy Tibor 2022-05-01 08:13:00 UTC 
I went through most Krita features, I found more places vulnerable to these path traversals:
- Gradients (.svg)
- Palettes (.kpl)
- Predefined image sizes (.predefinedimage)
- Author profiles (.authorinfo)
- Workspaces (.kws)
- Resource bundles (.bundle)

Repro is the same everywhere:
- Create new something...
- Enter a relative path including "../../" as the name
- Save
Comment 2 Halla Rempt 2022-05-10 13:18:09 UTC 
Note: svg/stop gradients apparently are all saved as "unnamed.svg" right now and cannot be overwrriten. I think that's a way more important bug, though...
Comment 3 myusualnickname@gmail.com 2024-04-29 10:02:33 UTC 
This may be a kio bug?