dashboard does not validate text fields
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snap Store Server |
Fix Released
|
Undecided
|
Matias Bordese | ||
Snapcraft |
New
|
Undecided
|
Unassigned | ||
review-tools |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
snapd |
Fix Released
|
High
|
Unassigned |
Bug Description
It seems dashboard.
In particular, I can have \n in title and summary, and arbitrary control characters in any of them.
I'd expect the three of them to reject anything that isn't valid UTF-8; of Unicode, they should reject any control or private use character (that is: any character with class Cc or Co), and noncharacters. The exception being that description should accept \n.
--
I'm tagging as a security issue because you can currently embed escape sequences into the summary, which is displayed unquoted in 'snap find' and can thus do potentially nasty things to the user's terminal. I don't think it's a _serious_ security risk, but it's nasty.
"snap find counterintellig
Changed in snapd: | |
assignee: | nobody → John Lenton (chipaca) |
status: | New → In Progress |
importance: | Undecided → High |
Changed in review-tools: | |
status: | New → Triaged |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in snapstore: | |
assignee: | nobody → Matias Bordese (matiasb) |
Changed in snapstore: | |
status: | New → In Progress |
Changed in snapstore: | |
status: | In Progress → Fix Committed |
Changed in snapstore: | |
status: | Fix Committed → Fix Released |
information type: | Private Security → Public Security |
Changed in snapd: | |
status: | In Progress → Confirmed |
assignee: | John Lenton (chipaca) → nobody |
I think I'd add U+FFFD REPLACEMENT CHARACTER to the list of 'nopes'.