HTML/JavaScript Execution in Metadata

Bug #1243976 reported by Benjamin Daniel Mussler on 2013-10-23
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
calibre
Undecided
Unassigned

Bug Description

Calibre 1.7 (Portable)
MS Windows 7 Professional SP1

Some metadata fields (at least "Authors") allow for the interpretation of HTML and JavaScript code.

Examples:

Author: <script>for (var i = 1; i <=3; i++){alert("hello");}</script>
(only a nuisance, but could be turned into an infinite loop)

Author: <a href="http://example.org">Some Author</a>
(clicking on the name of the author in the right panel takes the user to a web site. This could be abused to take unsuspecting users to web sites they don't want to visit)

Author: <img src="http://...">
(loads a remote image as soon as the user clicks on the list entry. It requires less user interaction than the two above and could be abused to track readers without them noticing; in my opinion, this is a privacy concern)

Author: <iframe src="http://...">
(can be abused as a combination of the previous two)

Author: <script>document.body.innerHTML = '<a href="http://example.org">Click here to update Calibre</a>';</script>
(UI can be changed to trick users into downloading malicious software)

Fixed in branch master. The fix will be in the next release. calibre is usually released every Friday.

 status fixreleased

Changed in calibre:
status: New → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers