broulik created this revision. Restricted Application added a project: Plasma. Restricted Application added a subscriber: plasma-devel.
REVISION SUMMARY We allow HTML in Notifications and QtQuick Text will even load remote images which poses a privacy threat. The network access manager factory we install is ineffective as Plasma uses a shared engine nowadays and whenever a new QmlObject shared engine is created, its setupBindings will re-install the KIO access factory. TEST PLAN 5.8 branch on Fabian's request as this is a security issue Can no longer cause network requests by sending a notification with `<img src="http://...";>` or `<span style="background: url(http://...)">`. (Btw I noticed that setupBindings is called >100 times on Plasma startup, setting up the very same QML engine over and over again, including creating a KIO NAM factory, KLocalizedContext and KIcon image provider) REPOSITORY R120 Plasma Workspace REVISION DETAIL https://phabricator.kde.org/D6673 AFFECTED FILES applets/notifications/package/contents/ui/NotificationItem.qml applets/notifications/plugin/CMakeLists.txt applets/notifications/plugin/notificationshelperplugin.cpp applets/notifications/plugin/notificationshelperplugin.h applets/notifications/plugin/textsanitizer.cpp applets/notifications/plugin/textsanitizer.h To: broulik, #plasma, fvogt Cc: plasma-devel, ZrenBot, progwolff, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, mart, lukas
