Closed
Bug 851813
Opened 13 years ago
Closed 7 years ago
New email notification popup on KDE (KNotify) render HTML present in email subject
Categories
(Thunderbird :: OS Integration, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: rhgzt, Unassigned)
Details
(Keywords: sec-low, Whiteboard: [KNotify bug])
Attachments
(1 file)
|
1.05 MB,
image/png
|
Details |
Screenshot of the notification
What did you do?
Receiving an email with HTML inside the subject on my KDE session.
For example:
test <img src="data:image/gif;base64,R0lGODdhAAQAA4ABAP8AAP///ywAAAAAAAQAAwAC/oSPqcvtD6OctNqLs968+w+G4kiW5omm6sq27gvH8kzX9o3n+s73/g8MCofEovGITCqXzKbzCY1Kp9Sq9YrNarfcrvcLDovH5LL5jE6r1+y2+w2Py+f0uv2Oz+v3/L7/DxgoOEhYaHiImKi4yNjo+AgZKTlJWWl5iZmpucnZ6fkJGio6SlpqeoqaqrrK2ur6ChsrO0tba3uLm6u7y9vr+wscLDxMXGx8jJysvMzc7PwMHS09TV1tfY2drb3N3e39DR4uPk5ebn6Onq6+zt7u/g4fLz9PX29/j5+vv8/f7/8PMKDAgQQLGjyIMKHChQwbOnwIMaLEiRQrWryIMaPG/o0cO3r8CDKkyJEkS5o8iTKlypUsW7p8CTOmzJk0a9q8iTOnzp08e/r8CTSo0KFEixo9ijSp0qVMmzp9CjWq1KlUq1q9ijWr1q1cu3r9Cjas2LFky5o9izat2rVs27p9Czeu3Ll069q9izev3r18+/r9Cziw4MGECxs+jDix4sWMGzt+DDmy5MmUK1u+jDmz5s2cO3v+DDq06NGkS5s+jTq16tWsW7t+DTu27Nm0a9u+jTu37t28e/v+DTy48OHEixs/jjy58uXMmzt/Dj269OnUq1u/jj279u3cu3v/Dj68+PHky5s/jz69+vXs27t/Dz++/Pn069u/jz+//v38/vv7/w9ggAIOSGCBBh6IYIIKLshggw4+CGGEEk5IYYUWXohhhhpuyGGHHn4IYogijkhiiSaeiGKKKq7IYosuvghjjDLOSGONNt6IY4467shjjz7+CGSQQg5JZJFGHolkkkouyWSTTj4JZZRSTklllVZeiWWWWm7JZZdefglmmGKOSWaZZp6JZppqrslmm26+CWeccs5JZ5123olnnnruyWeffv4JaKCCDkpooYYeimiiii7KaKOOPgpppJJOSmmlll6Kaaaabsppp55+Cmqooo5Kaqmmnopqqqquymqrrr4Ka6yyzkprrbbeimuuuu7Ka6++/gpssMIOS2yxxh6L/myyyi7LbLPOPgtttNJOS2211l6Lbbbabsttt95+C2644o5Lbrnmnotuuuquy2677r4Lb7zyzktvvfbei2+++u7Lb7/+/gtwwAIPTHDBBh+McMIKL8xwww4/DHHEEk9MccUWX4xxxhpvzHHHHn8Mcsgij0xyySafjHLKKq/McssuvwxzzDLPTHPNNt+Mc84678xzzz7/DHTQQg9NdNFGH4100kovzXTTTj8NddRST0111VZfjXXWWm/Ndddefw122GKPTXbZZp+Ndtpqr812226/DXfccs9Nd91234133nrvzXfffv8NeOCCD0544YYfjnjiii/OeOOOPw555JJP/k555ZZfjnnmmm/Oeeeefw566KKPTnrppp+Oeuqqr856666/Dnvsss9Oe+2234577rrvznvvvv8OfPDCD0988cYfj3zyyi/PfPPOPw999NJPT3311l+Pffbab899995/D3744o9Pfvnmn49++uqvz3777r8Pf/zyz09//fbfj3/++u/Pf//+/w/AAApwgAQsoAEPiMAEKnCBDGygAx8IwQhKcIIUrKAFL4jBDGpwgxzsoAc/CMIQinCEJCyhCU+IwhSqcIUsbKELXwjDGMpwhjSsoQ1viMMc6nCHPOyhD38IxCAKcYhELKIRj4jEJCpxiUxsohOfCMUoSnGKVKyizhWviMUsanGLXOyiF78IxjCKcYxkLKMZz4jGNKpxjWxsoxvfCMc4ynGOdKyjHe+IxzzqcY987KMf/wjIQApykIQspCEPichEKnKRjGykIx8JyUhKcpKUrKQlL4nJTGpyk5zspCc/CcpQinKUpCylKU+JylSqcpWsbKUrXwnLWMpylrSspS1victc6nKXvOylL38JzGAKc5jELKYxj4nMZCpzmcxspjOfCc1oSnOa1KymNa+JzWxqc5vc7KY3vwnOcIpznOQspznPic50lqwAADs=">
What happened?
The new email notification popup showed the image rendered inside the popup.
What should have happened?
The notification should have just display the subject as text without rendering the HTML.
Comments?
- I think this bug is caused by usage made of KNotify inside Thunderbird that show the notification inside a rich text that render HTML.
- I'm not sure if the notification is generated by Thunderbird or a third party tool, sorry if it's not Thunderbird.
- I think this bug can be a security problem. Rich textbox use a limited subset of HTML tags (http://harmattan-dev.nokia.com/docs/library/html/qt4/richtext-html-subset.html) but it may be potentially somehow.
|
||
Comment 1•12 years ago
|
||
Assigning to Mark to figure out where the problem is here. Should Thunderbird be sanitizing before sending text to the notification service, or is KDE insane to render text as HTML?
If there's no scripting allowed it's probably not much more than annoying. Do links work? Maybe you could put malicious links there.
|
|
||
Updated•12 years ago
|
Group: mail-core-security
|
||
Comment 2•12 years ago
|
||
I think Joshua might have some idea here, or may be able to pass onto someone who might be able to pick this up.
Assignee: standard8 → Pidgeot18
|
||
Comment 3•12 years ago
|
||
I don't know where this is being rendered as HTML. The intent is that the alerts service is supposed to be treating its input parameter as plain text apparently... I just have no clue which backend is being used.
I don't know who knows the alert notification service well... mconley perhaps?
Assignee: Pidgeot18 → nobody
|
|
||
Comment 4•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1)
> Assigning to Mark to figure out where the problem is here. Should
> Thunderbird be sanitizing before sending text to the notification service,
> or is KDE insane to render text as HTML?
I've just tried this on a stock linux build as we supply, and our notifications display the raw html.
> If there's no scripting allowed it's probably not much more than annoying.
According to that rich list box information (better url: https://qt-project.org/doc/qt-4.8/richtext-html-subset.html), scripting isn't allowed, but it doesn't necessarily specify that.
> Do links work? Maybe you could put malicious links there.
Supposedly yes, which is concerning as you imply.
|
|
||
Comment 5•12 years ago
|
||
@rhgzt: which distribution/extensions are you using? I couldn't find anything on knotify being integrated into Thunderbird.
Flags: needinfo?(rhgzt)
(In reply to Mark Banner (:standard8) from comment #5)
> @rhgzt: which distribution/extensions are you using? I couldn't find
> anything on knotify being integrated into Thunderbird.
It was on Debian testing just before the Wheezy release. I installed Lightning and Enigmail extensions but maybe some others was pre-installed. I have no more access to the host. I will try to reproduce it on a Wheezy fresh install.
Flags: needinfo?(rhgzt)
I reproduce this behavior with Debian 7.4.0, icedove 17.0.10, all extensions and plugins disabled.
|
|
||
Comment 8•11 years ago
|
||
Can you reproduce it with one of the official releases?
<ftp://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/17.0.9esr/>
[Actually a 24.0.x release would arguably be better since we're not maintaining 17.0.x anymore, but this would elucidate if it's a Debian-customization issue]
|
|
||
Updated•11 years ago
|
Group: mail-core-security
|
||
Updated•10 years ago
|
Group: core-security → mail-core-security
|
||
Comment 9•7 years ago
|
||
Haven't tried KDE, but at least on Ubunutu 18.04 (libnotify I guess) links or images are not displayed in the notifications. It seems <b>bolding</b> at least can be used though.
Seems like this is still a bug in KNotify if it still exists.
Whiteboard: [KNotify bug]
|
|
||
Comment 10•7 years ago
|
||
-> INVALID. I don't think this is a bug in Thunderbird. (If still an issue at all.)
Group: mail-core-security
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•