calibre

HTML/JavaScript Execution in Metadata

Bug #1243976 reported by Benjamin Daniel Mussler on 2013-10-23

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	calibre	Fix Released	Undecided	Unassigned

Bug Description

Calibre 1.7 (Portable)
MS Windows 7 Professional SP1

Some metadata fields (at least "Authors") allow for the interpretation of HTML and JavaScript code.

Examples:

Author: <script>for (var i = 1; i <=3; i++){alert("hello");}</script>
(only a nuisance, but could be turned into an infinite loop)

Author: <a href="http://example.org">Some Author</a>
(clicking on the name of the author in the right panel takes the user to a web site. This could be abused to take unsuspecting users to web sites they don't want to visit)

Author: <img src="http://...">
(loads a remote image as soon as the user clicks on the list entry. It requires less user interaction than the two above and could be abused to track readers without them noticing; in my opinion, this is a privacy concern)

Author: <iframe src="http://...">
(can be abused as a combination of the previous two)

Author: <script>document.body.innerHTML = '<a href="http://example.org">Click here to update Calibre</a>';</script>
(UI can be changed to trick users into downloading malicious software)

Tags:

Revision history for this message

Kovid Goyal (kovid) wrote on 2013-10-24: Fixed in master

Fixed in branch master. The fix will be in the next release. calibre is usually released every Friday.

status fixreleased

Changed in calibre:
status:	New → Fix Released

Benjamin Daniel Mussler (bmussler) on 2014-09-23

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.