fix buffer overflow and HTML injection in bookmark export#1345
Open
acts-1631 wants to merge 1 commit into
Open
fix buffer overflow and HTML injection in bookmark export#1345acts-1631 wants to merge 1 commit into
acts-1631 wants to merge 1 commit into
Conversation
Five sprintf() calls wrote filenames into a 256-byte stack buffer using data->filename, which comes from gtk_file_chooser_get_filename() and can be up to PATH_MAX (4096 on Linux). A path longer than 251 chars overflowed the buffer when the extension was appended. The affected functions are _save_verselist_2_xml, _save_verselist_2_html (both .html and .txt branches), save_iter_to_xml, and _save_iter (both branches). export_2_html also had a dead sprintf into a 256-byte buffer whose result was never read but still corrupted the stack. Replaced all fixed buffers with g_strdup_printf() allocations and freed them after use; removed the dead code in export_2_html. Bookmark description, module, key, folder caption, and search-result title were inserted verbatim into exported HTML output, allowing stored XSS when the exported file is opened in a browser. A bookmark description like </li></ul><script>...</script> would execute on view. Escape these user-controlled values with g_markup_escape_text() before formatting them into HTML. The affected locations are gui_set_html_item, _parse_treeview (folder caption), _save_iter (HTML header caption), and _save_verselist_2_html (search result title). Rendered scripture text is left unescaped, as it is legitimate HTML produced by the SWORD render filters.
c2b4672 to
882f977
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two issues in the bookmark export code in export_bookmarks.c.
First, the export functions use sprintf() to write the chosen filename
plus an extension into a 256-byte stack buffer. The filename comes from
gtk_file_chooser_get_filename() which can return a path up to PATH_MAX
(4096 bytes on Linux), so a path longer than 251 chars overflows the
buffer. This affects _save_verselist_2_xml, _save_verselist_2_html,
save_iter_to_xml, _save_iter, and export_2_html (the last one writes
into a buffer that is never actually read). All five are switched to
g_strdup_printf() with the result freed after use, and the dead code in
export_2_html is removed.
Second, bookmark fields (description, module, key, folder caption, and
the search result title) are inserted into exported HTML without
escaping. A bookmark description containing HTML tags would execute
when the exported file is opened in a browser. These values are now
escaped with g_markup_escape_text() before being formatted into HTML.
Rendered scripture text is not escaped since it is already HTML from
the SWORD render filters.