[xiphos-source] [crosswire/xiphos] 172029: fix: validate paths and file types in showStudypad...
Devon Kirk
noreply at github.com
Fri Jun 19 07:03:41 EDT 2026
Branch: refs/heads/master
Home: https://github.com/crosswire/xiphos
Commit: 1720296ce6b2743fbcb533bcd30b7e422055dc00
https://github.com/crosswire/xiphos/commit/1720296ce6b2743fbcb533bcd30b7e422055dc00
Author: Devon Kirk <67167176+hyder365 at users.noreply.github.com>
Date: 2026-06-19 (Fri, 19 Jun 2026)
Changed paths:
M src/main/url.cc
Log Message:
-----------
fix: validate paths and file types in showStudypad and showImage URL actions (#1328)
showStudypad passed the 'value' parameter directly to editor_create_new()
as a file path without validation, enabling arbitrary file reads via
path traversal or absolute paths. Add checks to reject '..', absolute
paths, and directory separators.
showImage passed the path to show_separate_image() which spawned
xdg-open with the file as argument, enabling arbitrary file execution.
Add a whitelist of recognized image file extensions.
Co-authored-by: Devon Kirk <hyder365 at users.noreply.github.com>
To unsubscribe from these emails, change your notification settings at https://github.com/crosswire/xiphos/settings/notifications
More information about the xiphos-source
mailing list