Mailinglist Archive: opensuse-factory (443 mails)

< Previous Next >
Re: [opensuse-factory] New package 'opensuse-welcome' to Factory
Hi,

Am Samstag, 13. Juli 2019, 23:27:00 CEST schrieb Carson Black:
Just pushed a commit to git master that redoes the RSS to move it out
of the domain of the WebEngine view and into QML's supervision. Both
URLs and titles have their HTML characters escaped, and if any other
security is needed, it should be easy to add. There's no
intermediaries between the request and news o-o like the previous
solution.

Looking much better! The escaping is wrong though, it's escaping HTML chars
but it's parsed as JS string. This means [&<>"'] appear broken.
Characters such as newline or backslash would need to be escaped as well, as
would other non-printable ones.

As this uses Qt WebEngine already anyway, I recommend to just use WebChannel
and then no sanitization would be needed anymore as it's passed as string
directly to JS and using "foo.textContent = bar" and so there's no possibility
for injections.

[ I don't think this sent the first two times I tried. Third time's
the charm, right? Hopefully. Take [just pushed] in the context of
yesterday. ]

I got this mail twice, but only once on the ML.

Cheers,
Fabian

-- Carson Black [pontaos]
On piÄ…, 12 lip, 2019 at 9:10 PM, Fabian Vogt <fvogt@xxxxxxx> wrote:
Hi,

Am Mittwoch, 10. Juli 2019, 21:00:17 CEST schrieb Fabian Vogt:
> > I had quick look at the code and notices that it makes use of
HTML and friends.
> > It seems to load RSS data over HTTP (no TLS) and shows the
latest entry in the
> > page. If there's some vulnerability found in the RSS entry
display, arbitrary
> > code can be executed using launcher.launch("foo").
>
> Changed to use HTTPS now.

IMO not enough, would it be possible to add some extra steps for
sanitation?

So, I just had a more in-depth look and it's absolutely crazy how the
RSS
display is implemented.

Instead of fetching the RSS XML document from news.opensuse.org
directly,
it does a query to
https://www.feedrapp.info/?callback=...&q=https%3A%2F%2Fnews.opensuse.org%2Ffeed&num=1&_=1562954857632
which returns a javascript document, which is then directly eval'd in
the
global context.

So by opening this application the user effectively gives
www.feedrapp.info
full access to his local user account, they just need to return
"launcher.launch('kdialog --msgbox Pwned')".

Alternatively, a post with the title containing
"&lt;script&gt;console.log("pwned")&lt;/script&gt;"
on news.opensuse.org would also lead to a similar result as there is
no HTML escaping whatsoever.

I reported those issues to jquery-rss upstream:
https://github.com/sdepold/jquery-rss/issues/152

So please fix this before including the package in the distribution,
preferably by disabling all access to outside sources by default.

Hi,
I feel a better solution would be to fetch news via C++ library (I will
have to look what's around) and put that stuff in the slot. Doing all
that with js is pointless. Well, js is pointless overall in that app,
it's already barely used at all, and since we have all the access to
the content via C++, might as well use that.

LCP [Stasiek]
https://lcp.world


--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx


--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >