issues with badly formed urls

I have no problem with Feisty up-to-date and Liferea 1.2.4.

Which Ubuntu and Liferea versions are you using?

I am using Feisty up-to-date and Liferea 1.2.4

"I have no problem with .."

Have you tried the exact same message? Or not?
Its not really a needs-info kind of thing. You can try the message, and you will experience the same. IT IS REPRODUCABLE.

More general, messages containing links to local files are a security-risk, which is what this bug-report is about.

I have tried the same message, as I'm subscribed to the Fridge, and all the links are good.

What engine are you using? (program>preferences>browser>view headlines with). I'm using mozilla, so maybe if you're using gtk the problem is there.

I have tried with gtkhtml2 and no problem.

Hey Ralf

Try to see in you cache what link you have. Maybe you're download was corrupt.

Look here "~/.liferea_1.2/cache/feeds/"

My fridge feed is "shwy...". If you don't have it, look in ".liferea_1.2/cache/favicons/", and search the fridge icon. It's name is the same of the fridge feed.

And look at the link you have. This is what I have:
<a href="//www.ubuntu.com/testing/herd4">Ubuntu</a>

(Opened with a text editor, if I copy the html maybe it won't be displayed).

Exactly. But when you have your mouse cursor on top of it you can see "file://www.ubuntu.com/testing/herd4" in your status-bar.

I assume Javascript is turned off anyways but it might be important to point out. Some one could in theory misuse this to link to some local document.

Hi Ralf!

I don't have that problem, even with javascript disabled. The link looks good in the status bar, and it opens fine in firefox.

With that I'm saying neither that there is no bug, nor that nobody else have it. Just that I can't reproduce it, nothing else.

And Well, I've tried with javascript disabled with mozilla gui, but not with gtk without js. I'll try now.

I hope we can solve this issue!

Best regards
Emilio

Weird: i can't reproduce this now as well.

And I am very sure that liferea wasn't updated in the mean time on my PC. I did update a few times though, but it mostly concerned irrelated libraries.

At first I though they might have fixed the message but they didn't: it still is "//www.ubuntu.com/testing/herd4"

So why is liferea suddenly smart enough (without any updates) to point this to "http://www.ubuntu.com/testing/herd4" instead of "file://www.ubuntu.com/testing/herd4"

I am retrying my other bugs now. To see if their behavior has changed as well...

For now I've updated the status to 'rejected'

The other bug is still valid.

I found it again. Please emilio, try the following:
  - make sure 'show the items of all child feeds when a folder is selected' is on in the preferences
  - add the 'fridge' to a folder.
  - put the folder in 'combined view' (from the view-menu)
  - click on folder and scroll to the message about herd-4 released
  - move the mouse on top of the link to Ubuntu
  - notice "file://www.ubuntu.com/testing/herd4" in the status-bar

The URL gets fixed when you are only looking at the fridge-feed, but not when you are looking at a directory in 'combined-view' that contains the fridge-feed.

This is showing more similarity to my other liferea-bug: where the combined-view of a directory also has problems with feeds that do not exist if you watch the specific feed..

There is a variant on this that occurs with well-formed URLs of this form:

/path/to/file.html

As observed with the protocol-less URLs, this becomes a link to the local filesystem, but only in combined view. I presume this has to do with how the HTML parser is provided with contextual information in the different views.

(Using latest public Feisty and Liferea 1.2.10)

I'd like to add that a URL that begins with "//" can be well-formed. For example,

//example.com/somepage.html

is a link to /somepage.html on the host example.com *in the same protocol*. That is, on

https://example.org/index.html

the link would go to

https://example.com/somepage.html

instead of the http:// variant.

I wasn't able to confirm this with the herd-4, and I haven't seen any other issue.

Can somebody else confirm it?

Add this as a subscription *in a folder* in Liferea.
A) Click on the *subscription*, then on the single item, and notice the path is handled correctly. <http://img516.imageshack.us/img516/1308/lifereasinglefeednu6.png>
B) Click on the *folder*, then on the single item from this feed, and notice the path is handled incorrectly. <http://img406.imageshack.us/img406/9268/lifereacompositejy5.png>

In the second case, clicking on the link in the entry should open your sshd_config file in a text editor.

Thanks for the test case!

Reported upstream. This won't be fixed in the 1.2.x series, and it's not sure whether it'll be fixed for 1.4.x

Setting as low since it affects just a few feeds, only when looking at them from a folder, or a virtual folder, and since it's not a major issue (like a crash or a hang).

Regards
Emilio

But we don't know how many of the users look feed-by-feed or use folder views. (For example, I almost never read an individual feed -- folders are way more convenient.)

And how sure are you that this isn't a security issue? Flash could be running in the security context of the user's filesystem!

Tim McCormack wrote:
> But we don't know how many of the users look feed-by-feed or use folder
> views. (For example, I almost never read an individual feed -- folders
> are way more convenient.)

That's a good point :) but it doesn't change the fact that it's uncommon.

> And how sure are you that this isn't a security issue? Flash could be
> running in the security context of the user's filesystem!

Could you give me an example where this can be a security issue?

Since Liferea tries to open the links with the browser, afaik, so it
shouldn't be a big problem :)

FWIW, I've marked this as low priority from a distribution POW, not from
an upstream POW. However, if you were right and this would be a security
risk, the importance wouldn't be the same.

> Since Liferea tries to open the links with the browser, afaik, so it
> shouldn't be a big problem :)

That's not completely correct. If you click on the /etc/ssh/sshd_config link in my 2007-05-06 example, you'll notice it opens in a text editor. That's because it is a file:// link, not an http:// link.

I'm fairly sure that javascript is blocked, which takes care of most of the security issues, but someone familiar with Flash should really look into this. Flash running in the security context of the filesystem may be able to harvest local files and send them to remote sites.

Hi Tim

I've discussed this with Lars (liferea's developer) and he's added a check to every link, so if it's a file://, liferea won't open it.

Cheers
Emilio

By the way, that doesn't solve this bug (the bad links will still be present) but this won't lead to a security hole.

The bad urls will be fixed in the future, though. So I'll leave the bug opened so we don't forget about this.

This upload fixes both the url issues when in a VF and the security one.

Thanks slomo for the upload :)

Accepted:
 OK: liferea_1.2.15-0ubuntu1.dsc
     -> Component: main Section: gnome
 OK: liferea_1.2.15.orig.tar.gz
 OK: liferea_1.2.15-0ubuntu1.diff.gz

********* *BEGIN ENCRYPTED or SIGNED PART* *********

Format: 1.7
Date: Thu, 17 May 2007 20:02:31 +0200
Source: liferea
Binary: liferea-mozilla liferea-gtkhtml liferea
Architecture: source
Version: 1.2.15-0ubuntu1
Distribution: gutsy
Urgency: low
Maintainer: Ubuntu Core Developers <email address hidden>
Changed-By: Emilio Pozuelo Monfort <email address hidden>
Description:
 liferea - feed aggregator for GNOME
 liferea-gtkhtml - transitional dummy package
 liferea-mozilla - transitional dummy package
Launchpad-Bugs-Fixed: 85650 114356
Changes:
 liferea (1.2.15-0ubuntu1) gutsy; urgency=low
 .
   * New upstream release (LP: #85650, #114356)
     - Better update result processing timer, should cause
       less CPU usage. (patch from Arjan van de Ven)
     - Increased security: disallowing clicking on file://
       links in the rendering widget, as well as preventing
       from opening such links using the context menu.
     - Fixes unresolved symbol in LUA binding.
       (SF #1720462, reported by Jonathan Cristoforetti)
     - Fixes broken base URL when selecting items in 3 pane
       mode from folders.
Files:
 75923bb0d6ddd7cb8653c73bf71f414e 955 gnome optional liferea_1.2.15-0ubuntu1.dsc
 23cb1c238f6806b53d8e340b830f1ff0 1429470 gnome optional liferea_1.2.15.orig.tar.gz
 d9a961e20c7b64411c562c13e6c669e7 12671 gnome optional liferea_1.2.15-0ubuntu1.diff.gz
Original-Maintainer: Franz Pletz <email address hidden>

********** *END ENCRYPTED or SIGNED PART* **********