Created attachment 126247 [details] It shows an xss SUMMARY Creating wifi network with malicious name, like for example '<img src=x onerror=alert(1) />' will lead to XSS in connection settings. STEPS TO REPRODUCE 1. Create malicious hotspot 2. Connect to it 3.0 Delete it from network manager 3.1 Input wrong password, so popup will appear, with xss OBSERVED RESULT I observed blank image as network name. https://telegra.ph/file/2825a8e2f17ff60149230.png EXPECTED RESULT I expect it to display network name SOFTWARE/OS VERSIONS Windows: macOS: Linux/KDE Plasma: Kubuntu 19.10 (available in About System) KDE Plasma Version: 5.16.5 KDE Frameworks Version: 5.62.0 Qt Version: 5.12.4 ADDITIONAL INFORMATION N/A
Affects me as well, allows to put arbitrary code in here, even a YouTube video. Most likely the scope is wider than network lists and might apply to other system dialog boxes. KDE version: 5.18.1 KDE frameworks version: 5.67.0 QT version: 5.14.1
Created attachment 126250 [details] This appear after inputting incorrect password
Created attachment 126251 [details] This appear after when I tried to delete network.
Created attachment 126252 [details] This appear after connecting to network as a notification
Note you are limited in what you can script, you have: https://doc.qt.io/archives/qt-4.8/richtext-html-subset.html It's not of anywhere near the same severity as a website. But yeah it, should be fixed anyway.
I'm not sure how templating/formatting strings with external data is being done in this particular case, but shouldn't there be a sanitization/stripping step before parsing them in UI? But saying it that way, the bug might be probably pushed on Qt upstream.
You can't sanitize them. Sanitize and put them on a QPushButton or a table, you're now rendering & or whatever in your text instead of correct characters Don't sanitize and put in a label and you have this issue.
See: D27545, D27542, D27541, D27543
Git commit fb1a8474651ef1ab5861b9221e41ff56e3d814e6 by David Edmundson. Committed on 21/02/2020 at 12:37. Pushed by davidedmundson into branch 'Plasma/5.12'. Set all labels to plain text Reviewers: #plasma, jgrulich Reviewed By: jgrulich Subscribers: jgrulich, plasma-devel Tags: #plasma Differential Revision: https://phabricator.kde.org/D27543 M +3 -0 src/kcmodule/devices/devicedetails.ui M +2 -2 src/kded/helpers/requestauthorization.cpp M +2 -2 src/kded/helpers/requestconfirmation.cpp M +2 -2 src/kded/helpers/requestpin.cpp M +2 -2 src/kded/receivefilejob.cpp M +5 -1 src/sendfile/pages/connecting.ui M +3 -0 src/sendfile/pages/failpage.ui M +3 -0 src/wizard/pages/fail.ui M +5 -1 src/wizard/pages/pairing.ui M +3 -0 src/wizard/pages/success.ui https://commits.kde.org/bluedevil/fb1a8474651ef1ab5861b9221e41ff56e3d814e6
Git commit 762504196246af2947a3a113f1a57fac7942aab0 by David Edmundson. Committed on 21/02/2020 at 12:41. Pushed by davidedmundson into branch 'Plasma/5.12'. [kded] Set password dialog boxes to plaintext Summary: CCBUG: 417980 Reviewers: #plasma, jgrulich Reviewed By: jgrulich Subscribers: plasma-devel Tags: #plasma Differential Revision: https://phabricator.kde.org/D27541 M +6 -0 kded/passworddialog.ui https://commits.kde.org/plasma-nm/762504196246af2947a3a113f1a57fac7942aab0
Given the fix can't be universal, there is a chance we have missed some locations. Please do comment on bugzilla if new occurences are found. Also please see https://kde.org/info/security/ in future.