CVE-2016-7966, KMail: HTML injection in plain text viewer

epel8
Than Ngo 8 years ago
parent ed10568226
commit 29327012f3

@ -0,0 +1,197 @@
diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
index 474f0ca..8fc0c56 100644
--- a/autotests/ktexttohtmltest.cpp
+++ b/autotests/ktexttohtmltest.cpp
@@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest)
Q_DECLARE_METATYPE(KTextToHTML::Options)
+#ifndef Q_OS_WIN
+void initLocale()
+{
+ setenv("LC_ALL", "en_US.utf-8", 1);
+}
+Q_CONSTRUCTOR_FUNCTION(initLocale)
+#endif
+
+
void KTextToHTMLTest::testGetEmailAddress()
{
// empty input
@@ -372,6 +381,11 @@ void KTextToHTMLTest::testHtmlConvert_data()
QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)"
<< KTextToHTML::Options(KTextToHTML::PreserveSpaces)
<< "bla (<a href=\"http://www.kde.org\">http://www.kde.org</a> - section 5.2)";
+
+ // Fix url as foo <<url> <url>> when we concatened them.
+ QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>"
+ << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+ << "foo &lt;<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a>&lt;<a href=\"http://www.kde.org/\">http://www.kde.org/</a>&gt;&gt;";
}
diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp
index b5e1bda..c70d062 100644
--- a/src/lib/text/ktexttohtml.cpp
+++ b/src/lib/text/ktexttohtml.cpp
@@ -228,11 +228,19 @@ QString KTextToHTMLHelper::getUrl()
url.reserve(mMaxUrlLen); // avoid allocs
int start = mPos;
+ bool previousCharIsSpace = false;
while ((mPos < mText.length()) &&
(mText[mPos].isPrint() || mText[mPos].isSpace()) &&
((afterUrl.isNull() && !mText[mPos].isSpace()) ||
(!afterUrl.isNull() && mText[mPos] != afterUrl))) {
- if (!mText[mPos].isSpace()) { // skip whitespace
+ if (mText[mPos].isSpace()) {
+ previousCharIsSpace = true;
+ } else { // skip whitespace
+ if (previousCharIsSpace && mText[mPos] == QLatin1Char('<')) {
+ url.append(QLatin1Char(' '));
+ break;
+ }
+ previousCharIsSpace = false;
url.append(mText[mPos]);
if (url.length() > mMaxUrlLen) {
break;
@@ -267,7 +275,6 @@ QString KTextToHTMLHelper::getUrl()
}
} while (url.length() > 1);
}
-
return url;
}
@@ -334,6 +341,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
QChar ch;
int x;
bool startOfLine = true;
+ //qDebug()<<" plainText"<<plainText;
for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length();
++helper.mPos, ++x) {
@@ -402,6 +410,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
const int start = helper.mPos;
if (!(flags & IgnoreUrls)) {
str = helper.getUrl();
+ //qDebug()<<" str"<<str;
if (!str.isEmpty()) {
QString hyperlink;
if (str.left(4) == QLatin1String("www.")) {
@@ -455,6 +464,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude);
}
+ //qDebug()<<" result "<<result;
return result;
}
diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
index 8fc0c56..c5690e8 100644
--- a/autotests/ktexttohtmltest.cpp
+++ b/autotests/ktexttohtmltest.cpp
@@ -386,6 +386,12 @@ void KTextToHTMLTest::testHtmlConvert_data()
QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>"
<< KTextToHTML::Options(KTextToHTML::PreserveSpaces)
<< "foo &lt;<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a>&lt;<a href=\"http://www.kde.org/\">http://www.kde.org/</a>&gt;&gt;";
+
+ //Fix url exploit
+ QTest::newRow("url-exec-html") << "https://\"><!--"
+ << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+ << "https://\"><!--";
+
}
diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp
index c70d062..97c5eab 100644
--- a/src/lib/text/ktexttohtml.cpp
+++ b/src/lib/text/ktexttohtml.cpp
@@ -156,7 +156,6 @@ bool KTextToHTMLHelper::atUrl()
(allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) {
return false;
}
-
QChar ch = mText[mPos];
return
(ch == QLatin1Char('h') && (mText.mid(mPos, 7) == QLatin1String("http://") ||
@@ -192,7 +191,7 @@ bool KTextToHTMLHelper::isEmptyUrl(const QString &url)
url == QLatin1String("news://");
}
-QString KTextToHTMLHelper::getUrl()
+QString KTextToHTMLHelper::getUrl(bool *badurl)
{
QString url;
if (atUrl()) {
@@ -229,6 +228,7 @@ QString KTextToHTMLHelper::getUrl()
url.reserve(mMaxUrlLen); // avoid allocs
int start = mPos;
bool previousCharIsSpace = false;
+ bool previousCharIsADoubleQuote = false;
while ((mPos < mText.length()) &&
(mText[mPos].isPrint() || mText[mPos].isSpace()) &&
((afterUrl.isNull() && !mText[mPos].isSpace()) ||
@@ -241,6 +241,18 @@ QString KTextToHTMLHelper::getUrl()
break;
}
previousCharIsSpace = false;
+ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
+ //it's an invalid url
+ if (badurl) {
+ *badurl = true;
+ }
+ return QString();
+ }
+ if (mText[mPos] == QLatin1Char('"')) {
+ previousCharIsADoubleQuote = true;
+ } else {
+ previousCharIsADoubleQuote = false;
+ }
url.append(mText[mPos]);
if (url.length() > mMaxUrlLen) {
break;
@@ -341,7 +353,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
QChar ch;
int x;
bool startOfLine = true;
- //qDebug()<<" plainText"<<plainText;
for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length();
++helper.mPos, ++x) {
@@ -409,8 +420,11 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
} else {
const int start = helper.mPos;
if (!(flags & IgnoreUrls)) {
- str = helper.getUrl();
- //qDebug()<<" str"<<str;
+ bool badUrl = false;
+ str = helper.getUrl(&badUrl);
+ if (badUrl) {
+ return helper.mText;
+ }
if (!str.isEmpty()) {
QString hyperlink;
if (str.left(4) == QLatin1String("www.")) {
@@ -464,7 +478,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude);
}
- //qDebug()<<" result "<<result;
return result;
}
diff --git a/src/lib/text/ktexttohtml_p.h b/src/lib/text/ktexttohtml_p.h
index 74ad7a0..fc43613 100644
--- a/src/lib/text/ktexttohtml_p.h
+++ b/src/lib/text/ktexttohtml_p.h
@@ -49,7 +49,7 @@ public:
QString getEmailAddress();
bool atUrl();
bool isEmptyUrl(const QString &url);
- QString getUrl();
+ QString getUrl(bool *badurl = Q_NULLPTR);
QString pngToDataUrl(const QString &pngPath);
QString highlightedText();

@ -9,7 +9,7 @@
Name: kf5-%{framework}
Version: 5.26.0
Release: 1%{?dist}
Release: 2%{?dist}
Summary: KDE Frameworks 5 Tier 1 addon with various classes on top of QtCore
License: GPLv2+ and GPLv2+
@ -25,6 +25,7 @@ URL: https://quickgit.kde.org/?p=%{framework}.git
Source0: http://download.kde.org/%{stable}/frameworks/%{versiondir}/%{framework}-%{version}.tar.xz
## upstream patches
patch1: 0001-kmail-html-injection-in-plan-text-viewer-cve-2016-7966.patch
BuildRequires: extra-cmake-modules >= %{version}
BuildRequires: kf5-rpm-macros >= %{version}
@ -118,6 +119,9 @@ update-mime-database %{?fedora:-n} %{_datadir}/mime &> /dev/null || :
%changelog
* Fri Oct 07 2016 Than Ngo <than@redhat.com> - 5.26.0-2
- CVE-2016-7966, KMail: HTML injection in plain text viewer
* Wed Sep 07 2016 Daniel Vrátil <dvratil@fedoraproject.org> - 5.26.0-1
- KDE Frameworks 5.26.0

Loading…
Cancel
Save