Skip to content

fix buffer overflow and HTML injection in bookmark export#1345

Open
acts-1631 wants to merge 1 commit into
crosswire:masterfrom
acts-1631:fix/export-bookmarks-security
Open

fix buffer overflow and HTML injection in bookmark export#1345
acts-1631 wants to merge 1 commit into
crosswire:masterfrom
acts-1631:fix/export-bookmarks-security

Conversation

@acts-1631

Copy link
Copy Markdown

Two issues in the bookmark export code in export_bookmarks.c.

First, the export functions use sprintf() to write the chosen filename
plus an extension into a 256-byte stack buffer. The filename comes from
gtk_file_chooser_get_filename() which can return a path up to PATH_MAX
(4096 bytes on Linux), so a path longer than 251 chars overflows the
buffer. This affects _save_verselist_2_xml, _save_verselist_2_html,
save_iter_to_xml, _save_iter, and export_2_html (the last one writes
into a buffer that is never actually read). All five are switched to
g_strdup_printf() with the result freed after use, and the dead code in
export_2_html is removed.

Second, bookmark fields (description, module, key, folder caption, and
the search result title) are inserted into exported HTML without
escaping. A bookmark description containing HTML tags would execute
when the exported file is opened in a browser. These values are now
escaped with g_markup_escape_text() before being formatted into HTML.
Rendered scripture text is not escaped since it is already HTML from
the SWORD render filters.

Five sprintf() calls wrote filenames into a 256-byte stack buffer using
data->filename, which comes from gtk_file_chooser_get_filename() and can
be up to PATH_MAX (4096 on Linux). A path longer than 251 chars
overflowed the buffer when the extension was appended. The affected
functions are _save_verselist_2_xml, _save_verselist_2_html (both .html
and .txt branches), save_iter_to_xml, and _save_iter (both branches).
export_2_html also had a dead sprintf into a 256-byte buffer whose
result was never read but still corrupted the stack. Replaced all fixed
buffers with g_strdup_printf() allocations and freed them after use;
removed the dead code in export_2_html.

Bookmark description, module, key, folder caption, and search-result
title were inserted verbatim into exported HTML output, allowing stored
XSS when the exported file is opened in a browser. A bookmark
description like </li></ul><script>...</script> would execute on view.
Escape these user-controlled values with g_markup_escape_text() before
formatting them into HTML. The affected locations are gui_set_html_item,
_parse_treeview (folder caption), _save_iter (HTML header caption), and
_save_verselist_2_html (search result title). Rendered scripture text is
left unescaped, as it is legitimate HTML produced by the SWORD render
filters.
@acts-1631 acts-1631 force-pushed the fix/export-bookmarks-security branch from c2b4672 to 882f977 Compare July 8, 2026 02:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant