GNOME Bugzilla – Bug 555940
eog is vulnerable to pango injection attack :-)
Last modified: 2008-10-12 11:53:44 UTC
Please describe the problem: eog doesnt escape the filename strings before inserting them into a GTK label (thus pango mark in the filename causes strange effects) repro steps: 1. launch this command: eog '<span font_desc="Monospace 30" foreground="#FF0000">string</span>' another set of repro steps: 1. launch this command: eog 'jack & jones' Note 1: from the second example it should be clear that "normal" filenames can actually cause problems. In that second case eog thinks the "&" char in the filename is the beginning of the a pango markup entity. If you look carefully you can see that this also causes the <b></b> tags generated by eog to become visible as plain text. Note 2: suggested fix, g_markup_printf_escaped() Steps to reproduce: 1. 2. 3. Actual results: Expected results: Does this happen every time? Other information:
Created attachment 120408 [details] [review] fix
Looks good, please commit.
Committed in trunk: 2008-10-12 Claudio Saavedra <csaavedra@igalia.com> * src/eog-error-message-area.c: (eog_image_load_error_message_area_new), (eog_no_images_error_message_area_new): Use g_markup_escape_text() to avoid possible markup "injection attack". Fixes bug #555940 (Martin Olsson) This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.