From b7aa953bcd0fc1d059e7a678ab10312fe015ebdb Mon Sep 17 00:00:00 2001 From: Devon Kirk Date: Thu, 18 Jun 2026 15:56:40 -0400 Subject: [PATCH] fix: validate paths and file types in showStudypad and showImage URL actions showStudypad passed the 'value' parameter directly to editor_create_new() as a file path without validation, enabling arbitrary file reads via path traversal or absolute paths. Add checks to reject '..', absolute paths, and directory separators. showImage passed the path to show_separate_image() which spawned xdg-open with the file as argument, enabling arbitrary file execution. Add a whitelist of recognized image file extensions. --- src/main/url.cc | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/src/main/url.cc b/src/main/url.cc index 92b997783..98ba8ba84 100644 --- a/src/main/url.cc +++ b/src/main/url.cc @@ -986,14 +986,28 @@ gint main_url_handler(const gchar *url, gboolean clicked) } else if (!strcmp(action, "showStudypad")) { - show_studypad(svalue, clicked); + if (svalue && !strstr(svalue, "..") && + !g_path_is_absolute(svalue) && + strchr(svalue, G_DIR_SEPARATOR) == NULL) { + show_studypad(svalue, clicked); + } } else if (!strcmp(action, "showImage")) { - show_separate_image((!strncmp(svalue, "file:", 5) + const gchar *img_path = (!strncmp(svalue, "file:", 5) ? svalue + 5 - : svalue), - clicked); + : svalue); + gboolean is_image = (g_str_has_suffix(img_path, ".png") || + g_str_has_suffix(img_path, ".jpg") || + g_str_has_suffix(img_path, ".jpeg") || + g_str_has_suffix(img_path, ".gif") || + g_str_has_suffix(img_path, ".bmp") || + g_str_has_suffix(img_path, ".svg") || + g_str_has_suffix(img_path, ".tiff") || + g_str_has_suffix(img_path, ".webp")); + if (is_image) { + show_separate_image(img_path, clicked); + } } if (action)