Bug 480193

Summary: KMail QML HTML injection via --subject and --attach
Product: [Applications] kmail2 Reporter: Benjamin Flesch <benjaminflesch>
Component: composerAssignee: kdepim bugs <kdepim-bugs>
Status: REPORTED ---    
Severity: normal CC: montel
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Benjamin Flesch 2024-01-22 22:11:08 UTC 
SUMMARY
***
HTML injection into KMail UI
afaik not security issue because external image urls are not followed
***


STEPS TO REPRODUCE
1. kmail --composer --body '' --attach '<h1>HTML Injection bf</h1><img source="https://www.spyber.com/sig-25163.png"  width="100" height="100" />'
2. kmail --composer --attach 'asdasd <h1>HTML Injection @bf</h1><img src="0" /> ' --subject '<h1>injectko</h1>asdasd'


OBSERVED RESULT
custom HTML in kmail UI and alert dialogs

EXPECTED RESULT
no custom HTML in kmail UI


SOFTWARE/OS VERSIONS
kmail2 5.24.4 (23.08.4)
Comment 1 Laurent Montel 2024-01-23 05:59:16 UTC 
Git commit a10fca4cb4d16440db694a9e007186c1230eba69 by Laurent Montel.
Committed on 23/01/2024 at 06:59.
Pushed by mlaurent into branch 'release/24.02'.

Don't insert HTML in subject

M  +2    -2    src/editor/kmcomposerwin.cpp

https://invent.kde.org/pim/kmail/-/commit/a10fca4cb4d16440db694a9e007186c1230eba69
Comment 2 Laurent Montel 2024-01-23 06:01:09 UTC 
Git commit 3442628448349d1f12d97a28efc397d5e08c3001 by Laurent Montel.
Committed on 23/01/2024 at 07:01.
Pushed by mlaurent into branch 'master'.

Don't insert HTML in subject

M  +2    -2    src/editor/kmcomposerwin.cpp

https://invent.kde.org/pim/kmail/-/commit/3442628448349d1f12d97a28efc397d5e08c3001
Comment 3 Laurent Montel 2024-01-23 07:04:54 UTC 
For subject I fixed it.
For attachment, I don't see how I can fix it...
Comment 4 Bug Janitor Service 2024-03-12 15:18:23 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kio/-/merge_requests/1574
Comment 5 Bug Janitor Service 2024-03-12 15:23:24 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/pim/kmail/-/merge_requests/123
Comment 6 Carl Schwan 2024-03-12 20:06:32 UTC 
Git commit d67a5362a28c1e8fbca2e115b4154c09adb6ec43 by Carl Schwan.
Committed on 12/03/2024 at 20:06.
Pushed by carlschwan into branch 'master'.

Fix HTML injection in externally added warning widget

M  +13   -2    src/editor/warningwidgets/attachmentaddedfromexternalwarning.cpp

https://invent.kde.org/pim/kmail/-/commit/d67a5362a28c1e8fbca2e115b4154c09adb6ec43
Comment 7 Carl Schwan 2024-03-12 20:07:31 UTC 
Git commit f09e83b3b91637fe3b5812e50fd796b7fb78a7f6 by Carl Schwan.
Committed on 12/03/2024 at 20:07.
Pushed by carlschwan into branch 'release/24.02'.

Fix HTML injection in externally added warning widget


(cherry picked from commit d67a5362a28c1e8fbca2e115b4154c09adb6ec43)

M  +13   -2    src/editor/warningwidgets/attachmentaddedfromexternalwarning.cpp

https://invent.kde.org/pim/kmail/-/commit/f09e83b3b91637fe3b5812e50fd796b7fb78a7f6