https://bugs.kde.org/show_bug.cgi?id=506793
David Edmundson <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Latest Commit| |https://invent.kde.org/plas | |ma/plasma-workspace/-/commi | |t/fe2d07b21403d20202514a5e5 | |860698d52610da3 Status|ASSIGNED |RESOLVED --- Comment #4 from David Edmundson <[email protected]> --- Git commit fe2d07b21403d20202514a5e5860698d52610da3 by David Edmundson. Committed on 23/09/2025 at 12:50. Pushed by davidedmundson into branch 'master'. Sanitize images in notifications Notifications are allowed to show local URLs. It's possible to break plasma by loading an image with a URL of file:///dev/urandom. This could be sent from a remote source; applications emitting notifications should sanitize their input, but we shouldn't solely rely on that. This adds a few extra checks that the image is a valid local file. Timing attacks are still possible, but only with locally running code, so not something to be concerned with. M +20 -3 libnotificationmanager/autotests/notifications_test.cpp M +21 -1 libnotificationmanager/notification.cpp https://invent.kde.org/plasma/plasma-workspace/-/commit/fe2d07b21403d20202514a5e5860698d52610da3 -- You are receiving this mail because: You are watching all bug changes.
