After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 760866 - XML special characters (e.g. ampersand) in connection name are not properly escaped/sanitized
XML special characters (e.g. ampersand) in connection name are not properly e...
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: nm-connection-editor
git master
Other Linux
: Normal critical
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2016-01-19 22:38 UTC by Pascal Ernster
Modified: 2016-01-20 19:38 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Pascal Ernster 2016-01-19 22:38:02 UTC 
XML special characters (for example an ampersand) occurring in connection names are not properly escaped/sanitized when the list of all available connections is rendered in nm-connection-editor.

This is especially problematic with wifi SSIDs, as quite a lot of SSIDs do actually contain such characters. In practice, the most problematic character is probably the ampersand, but all XML characters in strings should be probably sanitized before throwing them at GTK.

I suspect that this could also be exploited to inject arbitrary GTK3 XML code into other user's sessions on multi-user systems, but I have not further investigated this.
Comment 2 Pascal Ernster 2016-01-20 19:38:26 UTC 
Thanks for the quick fix! :-)