[Github-comments] [geany/geany] Status messages use unescaped filename (#2033)
Ben Wiederhake
notifications at xxxxx
Wed Jan 2 19:41:37 UTC 2019
Context: geany helpfully indicates when the opened file is updated (according to ctime) or deleted from the filesystem. This indicator seems to employ some part of gtk that renders HTML.
Steps to reproduce:
1. In a shell, `touch 'john;guitar&studio.mp3`
2. Open geany, for example from the shell `geany 'john;guitar&studio.mp3'`
3. Cause an indicator to pop up, for example `touch 'john;guitar&studio.mp3'` from the shell.
4. Look at geany again, and read the indicator content.
Expected indicator content: `The file 'john;guitar&studio.mp3' on the disk is more recent than the current buffer. Do you want to reload it?`
Actual indicator content: `The file 'john;guitar&studio.mp3' on the disk is more recent than the current buffer. Do you want to reload it?` Note that the HTML entity `&` is collapsed to a single `&`.
As far as I can see, this is not really exploitable, because that requires really weird filenames, the renderer absolutely requires valid XHTML, and the filename cannot contain a forward slash (`/`) to provide closing tags. Also, not all HTML entities are accepted. This is why I chose to make this report public.
However, it is bad enough that it should be fixed.
There seem to be no related bugs in this bugtracker. #779 is the opposite of this bug.
Or is this a Scintilla bug again?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany/issues/2033
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.geany.org/pipermail/github-comments/attachments/20190102/64aab568/attachment-0001.html>
More information about the Github-comments
mailing list