Ubuntu
address-book-app package

Address field not sanitized

Bug #1420851 reported by Víctor R. Ruiz on 2015-02-11

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu UI Toolkit	New	Undecided	Unassigned
	address-book-app (Ubuntu)	In Progress	Medium	Renato Araujo Oliveira Filho

Bug Description

While testing the fix for #1390110, I did this:

- Open webbrowser
- Go to http://m.xataka.com/analisis/asi-es-la-experiencia-ubuntu-en-smartphones-toma-de-contacto-con-el-bq-aquaris-e4-5-ubuntu-edition
- Select all content.
- Go to address book.
- Create a new contact
- Fill name ("Tester").
- Add address field.
- Paste content.
- Save contact.

Expected result:
- Address field shows only text content.

Actual result:
- An images from the webpage is displayed (see attached screenshot).

current build number: 233
device name: krillin
channel: ubuntu-touch/ubuntu-rtm/14.09-proposed

Tags:

Related branches

lp:~renatofilho/address-book-app/fix-1420851

Ready for review for merging into lp:address-book-app

system-apps-ci-bot: Needs Fixing (continuous-integration) on 2016-06-20

PS Jenkins bot: Needs Fixing (continuous-integration) on 2015-02-12

Ubuntu Phablet Team: Pending requested 2015-02-11

Revision history for this message

Víctor R. Ruiz (vrruiz) wrote on 2015-02-11:

#1

address-book-browser-paste.png Edit (425.8 KiB, image/png)

Renato Araujo Oliveira Filho (renatofilho) on 2015-02-11

Changed in address-book-app:
assignee:	nobody → Renato Araujo Oliveira Filho (renatofilho)
importance:	Undecided → Medium
status:	New → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-02-11:

#2

Based on irc conversation, what is being pasted is an <img> tag, which is how the clipboard is supposed to work. Furthermore, the textfield is showing rich text by default (this should be configurable on a per widget basis), which is why the image is displayed. As such, this is not a security concern so I'll unsubscribe the security team.

Revision history for this message

Renato Araujo Oliveira Filho (renatofilho) wrote on 2015-02-11:

#3

Fixed on the address-book-app components. But the Page title property used to display the contact name need to be fixed on the SDK.

Revision history for this message

Víctor R. Ruiz (vrruiz) wrote on 2015-02-11:

#4

address-book-browser-paste-name.png Edit (371.4 KiB, image/png)

It also happens in the Name field.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-02-11:

#5

The security team discussed this a bit and we found this:
"Note that the Supported HTML Subset is limited. Also, if the text contains HTML img tags that load remote images, the text is reloaded." - http://qt-project.org/doc/qt-4.8/qml-text.html

This suggests an <img> tag could specify a remote image. While Victor's bug originated from a user-driven interaction, if/when we support vcards, we'll want to be very careful about importing vcard data that will download remote content when displayed. Changing to non-richtext will future-proof us from this down the line.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-02-11:

#6

Also, for completeness, here is the list of tags that richtext will honor: http://qt-project.org/doc/qt-4.8/richtext-html-subset.html

Revision history for this message

Renato Araujo Oliveira Filho (renatofilho) wrote on 2015-02-11:

#7

I noticed that on desktop the clipboard does not copy the "img" tags.

Revision history for this message

Zsombor Egri (zsombi) wrote on 2015-02-12:

#8

Please note that the text input has text formatting flags you can choose manually to not to interpret the entered text as rich text. The default setting is Automatic, meaning it'll try to detect the text type. OTOH, if the rich content is desired, you may need to filter the clipboard content before pasting into the input field.

Revision history for this message

Cris Dywan (kalikiana) wrote on 2015-02-12:

#9

From discussion this just now, it seems to me there are good arguments both ways, some use cases require rich text, others don't. And this includes the header, for example the Wikipedia scope customizes the font. Arguably only a minority is putting untrusted html into text fields, and it's fair for the address book to override the header.

Revision history for this message

Tim Peeters (tpeeters) wrote on 2015-02-12:

#10

For textfields and Labels in apps, the allowed input can be configured.

For internal labels that cannot be configured (like the title in the header, or text in a button) please report separate bugs. For those we need to carefully evaluate if we want to change the current behavior, and if we change it, see if it breaks any existing apps and update those.

Revision history for this message

Víctor R. Ruiz (vrruiz) wrote on 2015-02-12:

#11

address-book-name-indicator.png Edit (250.2 KiB, image/png)

The rich-text name field propagates to other applications, like the indicator. See screenshot.

Revision history for this message

Renato Araujo Oliveira Filho (renatofilho) wrote on 2015-02-12:

#12

i do not have control where this text will appear, probably you will find more places where this happen. (Contacts scope for example).

My suggestion is make all SDK labels plainText by default and the programmer can change it if necessary.

Sebastien Bacher (seb128) on 2015-05-22

affects:

address-book-app → address-book-app (Ubuntu)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.