url: restrict clicked-link fallthrough to http/https URIs#1344
Open
acts-1631 wants to merge 1 commit into
Open
url: restrict clicked-link fallthrough to http/https URIs#1344acts-1631 wants to merge 1 commit into
acts-1631 wants to merge 1 commit into
Conversation
Bible, commentary, and dictionary module content is rendered as HTML by SWORD's render filters and loaded into the WebKit view essentially unmodified; there is no sanitization of <a href> values anywhere in the render/display pipeline. When a clicked link's URL doesn't match one of Xiphos's internal schemes (sword://, bible://, passagestudy.jsp, xiphos.url), main_url_handler() falls through to xiphos_open_default(), which calls gtk_show_uri_on_window()/ShellExecuteW() on the raw URL with no scheme check and no user confirmation. A malicious or compromised module repository could embed a link such as <a href="file:///home/user/.ssh/id_rsa">click here</a> in a commentary or dictionary entry; clicking it opens the local file with the desktop's default handler for that file, without any warning. Restrict this fallthrough to http:// and https:// URIs, which are the only schemes legitimate module content should need for external links. Other callers of xiphos_open_default() (About/help/mailing-list/bug- report menu items) are unaffected.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bible, commentary, and dictionary module content is rendered as HTML by
SWORD's render filters and loaded into the WebKit view essentially
unmodified; there is no sanitization of values anywhere in the
render/display pipeline.
When a clicked link's URL doesn't match one of Xiphos's internal schemes
(sword://, bible://, passagestudy.jsp, xiphos.url), main_url_handler()
falls through to xiphos_open_default(), which calls
gtk_show_uri_on_window()/ShellExecuteW() on the raw URL with no scheme
check and no user confirmation. A malicious or compromised module
repository could embed a link such as
click here
in a commentary or dictionary entry; clicking it opens the local file with
the desktop's default handler for that file, without any warning.
This restricts the fallthrough to http:// and https:// URIs, which are the
only schemes legitimate module content should need for external links.
Other callers of xiphos_open_default() (About/help/mailing-list/bug-report
menu items) are unaffected.