https://bugs.kde.org/show_bug.cgi?id=506793
Nate Graham <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Latest Commit|https://invent.kde.org/plas |https://invent.kde.org/plas |ma/plasma-workspace/-/commi |ma/plasma-workspace/-/commi |t/fe2d07b21403d20202514a5e5 |t/b21323c647ef263b150096965 |860698d52610da3 |ca4ab934b32aa0b --- Comment #5 from Nate Graham <[email protected]> --- Git commit b21323c647ef263b150096965ca4ab934b32aa0b by Nate Graham, on behalf of David Edmundson. Committed on 26/09/2025 at 20:44. Pushed by ngraham into branch 'Plasma/6.5'. Sanitize images in notifications Notifications are allowed to show local URLs. It's possible to break plasma by loading an image with a URL of file:///dev/urandom. This could be sent from a remote source; applications emitting notifications should sanitize their input, but we shouldn't solely rely on that. This adds a few extra checks that the image is a valid local file. Timing attacks are still possible, but only with locally running code, so not something to be concerned with. (cherry picked from commit fe2d07b21403d20202514a5e5860698d52610da3) 3cd7bb2f Sanitize images in notifications Co-authored-by: David Edmundson <[email protected]> M +20 -3 libnotificationmanager/autotests/notifications_test.cpp M +21 -1 libnotificationmanager/notification.cpp https://invent.kde.org/plasma/plasma-workspace/-/commit/b21323c647ef263b150096965ca4ab934b32aa0b -- You are receiving this mail because: You are watching all bug changes.
