'D6673: [Notifications] Manually remove remote images'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-panel-devel
Subject:    D6673: [Notifications] Manually remove remote images
From:       Kai Uwe Broulik <noreply () phabricator ! kde ! org>
Date:       2017-07-13 9:55:49
Message-ID: differential-rev-PHID-DREV-vpqp5zde5735fbnmsa5q-req () phabricator ! kde ! org
[Download RAW message or body]

broulik created this revision.
Restricted Application added a project: Plasma.
Restricted Application added a subscriber: plasma-devel.

REVISION SUMMARY
  We allow HTML in Notifications and QtQuick Text will even load remote images which \
poses a privacy threat.  The network access manager factory we install is ineffective \
as Plasma uses a shared engine nowadays and whenever a new QmlObject shared engine is \
created, its setupBindings will re-install the KIO access factory.

TEST PLAN
  5.8 branch on Fabian's request as this is a security issue
  
  Can no longer cause network requests by sending a notification with `<img \
src="http://...">` or `<span style="background: url(http://...)">`.  
  (Btw I noticed that setupBindings is called >100 times on Plasma startup, setting \
up the very same QML engine over and over again, including creating a KIO NAM \
factory, KLocalizedContext and KIcon image provider)

REPOSITORY
  R120 Plasma Workspace

REVISION DETAIL
  https://phabricator.kde.org/D6673

AFFECTED FILES
  applets/notifications/package/contents/ui/NotificationItem.qml
  applets/notifications/plugin/CMakeLists.txt
  applets/notifications/plugin/notificationshelperplugin.cpp
  applets/notifications/plugin/notificationshelperplugin.h
  applets/notifications/plugin/textsanitizer.cpp
  applets/notifications/plugin/textsanitizer.h

To: broulik, #plasma, fvogt
Cc: plasma-devel, ZrenBot, progwolff, lesliezhai, ali-mohamed, jensreuterberg, \
abetts, sebas, apol, mart, lukas


[Attachment #3 (unknown)]

<table><tr><td style="">broulik created this revision.<br />Restricted Application \
added a project: Plasma.<br />Restricted Application added a subscriber: \
plasma-devel. </td><a style="text-decoration: none; padding: 4px 8px; margin: 0 8px \
8px; float: right; color: #464C5C; font-weight: bold; border-radius: 3px; \
background-color: #F7F7F9; background-image: linear-gradient(to bottom,#fff,#f1f0f1); \
display: inline-block; border: 1px solid rgba(71,87,120,.2);" \
href="https://phabricator.kde.org/D6673" rel="noreferrer">View \
Revision</a></tr></table><br /><div><strong>REVISION SUMMARY</strong><div><p>We allow \
HTML in Notifications and QtQuick Text will even load remote images which poses a \
privacy threat.<br /> The network access manager factory we install is ineffective as \
Plasma uses a shared engine nowadays and whenever a new QmlObject shared engine is \
created, its setupBindings will re-install the KIO access factory.</p></div></div><br \
/><div><strong>TEST PLAN</strong><div><p>5.8 branch on Fabian&#039;s request as this \
is a security issue</p>

<p>Can no longer cause network requests by sending a notification with <tt \
style="background: #ebebeb; font-size: 13px;">&lt;img \
src=&quot;http://...&quot;&gt;</tt> or <tt style="background: #ebebeb; font-size: \
13px;">&lt;span style=&quot;background: url(http://...)&quot;&gt;</tt>.</p>

<p>(Btw I noticed that setupBindings is called &gt;100 times on Plasma startup, \
setting up the very same QML engine over and over again, including creating a KIO NAM \
factory, KLocalizedContext and KIcon image provider)</p></div></div><br \
/><div><strong>REPOSITORY</strong><div><div>R120 Plasma \
Workspace</div></div></div><br /><div><strong>REVISION DETAIL</strong><div><a \
href="https://phabricator.kde.org/D6673" \
rel="noreferrer">https://phabricator.kde.org/D6673</a></div></div><br \
/><div><strong>AFFECTED \
FILES</strong><div><div>applets/notifications/package/contents/ui/NotificationItem.qml<br \
/> applets/notifications/plugin/CMakeLists.txt<br />
applets/notifications/plugin/notificationshelperplugin.cpp<br />
applets/notifications/plugin/notificationshelperplugin.h<br />
applets/notifications/plugin/textsanitizer.cpp<br />
applets/notifications/plugin/textsanitizer.h</div></div></div><br /><div><strong>To: \
</strong>broulik, Plasma, fvogt<br /><strong>Cc: </strong>plasma-devel, ZrenBot, \
progwolff, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart, \
lukas<br /></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic