zx2c4 reopened this revision.
zx2c4 added a comment.
This revision is now accepted and ready to land.

  + const QUrl url(src);
  + if (url.isLocalFile()) {
  + out.writeAttribute(QStringLiteral("src"), src);
  + } else {
  + //image denied for security reasons! Do not copy the image src here!
  + }
  This probably isn't a good idea either, since a remote attacker can
  specify any local path, which could have unintended consequences. It's
  a nice way, for example, of expanding a remote memory access into a
  remote file access (loading file into malloc'd buffers), causing
  traffic on network-mapped file paths, or other mischief. Under no
  circumstances should a remote user be allowed to supply an arbitrary
  local file path.
  I'd recommend entirely denying <img> tags, and instead provide
  developers with some other API to show photos. I believe this already
  exists, in fact.
  If you absolutely must have <img> tags, then at least use an inline
  data URI, though this of course has its own problems too.

  R120 Plasma Workspace


To: davidedmundson, #plasma, fvogt
Cc: zx2c4, broulik, aacid, fvogt, plasma-devel, ZrenBot, progwolff, lesliezhai, 
ali-mohamed, jensreuterberg, abetts, sebas, apol, mart

Reply via email to