https://bugs.kde.org/show_bug.cgi?id=506793
David Edmundson <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Latest Commit|https://invent.kde.org/plas |https://invent.kde.org/plas |ma/plasma-workspace/-/commi |ma/plasma-workspace/-/commi |t/b21323c647ef263b150096965 |t/b91489b1628fed1efc242ed55 |ca4ab934b32aa0b |24253176d461d39 --- Comment #6 from David Edmundson <[email protected]> --- Git commit b91489b1628fed1efc242ed5524253176d461d39 by David Edmundson, on behalf of Nate Graham. Committed on 29/09/2025 at 15:12. Pushed by ngraham into branch 'Plasma/6.4'. Sanitize images in notifications Notifications are allowed to show local URLs. It's possible to break plasma by loading an image with a URL of file:///dev/urandom. This could be sent from a remote source; applications emitting notifications should sanitize their input, but we shouldn't solely rely on that. This adds a few extra checks that the image is a valid local file. Timing attacks are still possible, but only with locally running code, so not something to be concerned with. (cherry picked from commit fe2d07b21403d20202514a5e5860698d52610da3) 3cd7bb2f Sanitize images in notifications Co-authored-by: David Edmundson <[email protected]> M +20 -3 libnotificationmanager/autotests/notifications_test.cpp M +21 -1 libnotificationmanager/notification.cpp https://invent.kde.org/plasma/plasma-workspace/-/commit/b91489b1628fed1efc242ed5524253176d461d39 -- You are receiving this mail because: You are watching all bug changes.
