https://bugs.kde.org/show_bug.cgi?id=506793
Bug ID: 506793
Summary: dbus generated notifications render arbitrary HTML in
the body
Classification: Plasma
Product: plasmashell
Version First 6.4.1
Reported In:
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: Notifications
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Target Milestone: 1.0
SUMMARY
DBus generated notifications containing HTML are not escaped by default by
Plasma, allowing for arbitrary HTML injection.
For instance an advocate could generate an event, where a notification
containing ` <img src="file:///dev/random"/>` is displayed to the user,
resulting in rendering an infinite file, eventually filling up all RAM.
Please see:
* https://gitlab.gnome.org/GNOME/glib/-/issues/3720
* https://dev.gajim.org/gajim/gajim/-/issues/12349
STEPS TO REPRODUCE
1. pip install https://github.com/phuhl/notify-send.py for instance
2. run
```
notify-send.py 'Title: <img
src="file:///absolute/path/to/any/local/image.png">' 'Body: <img
src="file:///absolute/path/to/any/local/image.png">'
```
OBSERVED RESULT
The title is escaped, the body shows a picture.
EXPECTED RESULT
Everything is escaped.
SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 42
KDE Plasma Version: 6.4.2
KDE Frameworks Version: 6.15.0
Qt Version: 6.9.1
Graphics Platform: Wayland
--
You are receiving this mail because:
You are watching all bug changes.
