Skip to content

url: restrict clicked-link fallthrough to http/https URIs#1344

Open
acts-1631 wants to merge 1 commit into
crosswire:masterfrom
acts-1631:fix/bible-link-scheme-allowlist
Open

url: restrict clicked-link fallthrough to http/https URIs#1344
acts-1631 wants to merge 1 commit into
crosswire:masterfrom
acts-1631:fix/bible-link-scheme-allowlist

Conversation

@acts-1631

Copy link
Copy Markdown

Bible, commentary, and dictionary module content is rendered as HTML by
SWORD's render filters and loaded into the WebKit view essentially
unmodified; there is no sanitization of values anywhere in the
render/display pipeline.

When a clicked link's URL doesn't match one of Xiphos's internal schemes
(sword://, bible://, passagestudy.jsp, xiphos.url), main_url_handler()
falls through to xiphos_open_default(), which calls
gtk_show_uri_on_window()/ShellExecuteW() on the raw URL with no scheme
check and no user confirmation. A malicious or compromised module
repository could embed a link such as

click here

in a commentary or dictionary entry; clicking it opens the local file with
the desktop's default handler for that file, without any warning.

This restricts the fallthrough to http:// and https:// URIs, which are the
only schemes legitimate module content should need for external links.
Other callers of xiphos_open_default() (About/help/mailing-list/bug-report
menu items) are unaffected.

Bible, commentary, and dictionary module content is rendered as HTML
by SWORD's render filters and loaded into the WebKit view essentially
unmodified; there is no sanitization of <a href> values anywhere in
the render/display pipeline.

When a clicked link's URL doesn't match one of Xiphos's internal
schemes (sword://, bible://, passagestudy.jsp, xiphos.url),
main_url_handler() falls through to xiphos_open_default(), which calls
gtk_show_uri_on_window()/ShellExecuteW() on the raw URL with no scheme
check and no user confirmation. A malicious or compromised module
repository could embed a link such as

  <a href="file:///home/user/.ssh/id_rsa">click here</a>

in a commentary or dictionary entry; clicking it opens the local file
with the desktop's default handler for that file, without any
warning.

Restrict this fallthrough to http:// and https:// URIs, which are the
only schemes legitimate module content should need for external links.
Other callers of xiphos_open_default() (About/help/mailing-list/bug-
report menu items) are unaffected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant