Created attachment 148484 [details] Screen capture SUMMARY There's a path traversal bug when saving gradients in Krita. Krita doesn't sanitize the name field used for the file names of gradients, dropping files outside of the "$XDG_DATA_HOME/krita/gradients" directory. Similar to Bug 429925. I haven't tested it thoroughly but I have a feeling this bug may also be present with other resource types. (palettes, brushes, etc.) STEPS TO REPRODUCE 1. Create or open a new document 2. Gradients toolbar button -> Add... 3. Enter "../../../../test/abcd" as the name field 4. Click OK OBSERVED RESULT See attachment. EXPECTED RESULT Sanitize the name field before using it as a file name. SOFTWARE/OS VERSIONS Operating System: KDE neon 5.24 KDE Plasma Version: 5.24.4 KDE Frameworks Version: 5.93.0 Qt Version: 5.15.3 Graphics Platform: X11
I went through most Krita features, I found more places vulnerable to these path traversals: - Gradients (.svg) - Palettes (.kpl) - Predefined image sizes (.predefinedimage) - Author profiles (.authorinfo) - Workspaces (.kws) - Resource bundles (.bundle) Repro is the same everywhere: - Create new something... - Enter a relative path including "../../" as the name - Save
Note: svg/stop gradients apparently are all saved as "unnamed.svg" right now and cannot be overwrriten. I think that's a way more important bug, though...
This may be a kio bug?