SUMMARY *** HTML can be injected into Dolphin UI from the command line. *** STEPS TO REPRODUCE 1. Open terminal 2. type: dolphin "<h1>HTML Injection</h1>" 3. press enter, dolphin will inject the HTML OBSERVED RESULT HTML injected EXPECTED RESULT no html injected SOFTWARE/OS VERSIONS dolphin 23.08.4 ADDITIONAL INFORMATION
This is a problem because?
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone!
Created attachment 165640 [details] Example screen shot Maybe what the reporter means is that it is possible to inject HTML into the error message displayed when a file or folder does not exist, as shown in the screen shot if Dolphin is started with the command line dolphin "<img src='file:/tmp/kde.png'/><br><H1>HTML Injection</h1>" However, there is no obvious exploit either remotely or by viewing an exploit file name or file contents, so it is not likely to be a securiry risk.
@sitter: It is a problem because if you close dolphin with alt+f4 the QML injection stays and visually pollutes your dolphin experience. Not to speak from the nice crashes you can get with `dolphin --new-window $(perl -E "print('A' x 100000)")` IMO handling of untrusted user input should be improved before you end up with a proper security situation.
(In reply to Benjamin Flesch from comment #4) > @sitter: It is a problem because if you close dolphin with alt+f4 the QML > injection stays and visually pollutes your dolphin experience. Well, you shot yourself in the foot, that is going to hurt any amount of time. > Not to speak from the nice crashes you can get with `dolphin --new-window > $(perl -E "print('A' x 100000)")` If the user wants to shoot themselves in the foot that's their right. > IMO handling of untrusted user input should be improved before you end up > with a proper security situation. It is trusted by virtue of coming from the user session.
This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone!