Skip to content

fix: reject percent-encoded showStudypad/showImage in D-Bus reference#1339

Merged
karlkleinpaste merged 1 commit into
crosswire:masterfrom
hyder365:fix/dbus-denylist-percent-encoding
Jul 1, 2026
Merged

fix: reject percent-encoded showStudypad/showImage in D-Bus reference#1339
karlkleinpaste merged 1 commit into
crosswire:masterfrom
hyder365:fix/dbus-denylist-percent-encoding

Conversation

@hyder365

Copy link
Copy Markdown
Contributor

The substring denylist in ipc_object_set_current_reference() runs against the raw reference bytes. A D-Bus peer on the user's session bus can send a reference like passagestudy.jsp?action=show%53tudypad; libsword's URL::getParameterValue percent-decodes the action before main_url_handler dispatches it, so the literal "showStudypad" substring is never seen by the denylist. The same works for show%49mage (showImage). Both actions reach the local filesystem (load an arbitrary cwd file into the StudyPad editor; hand a path to xdg-open / ShellExecuteW after a bypassable suffix check).

Replace the substring denylist with a percent-decoding of the action= parameter and a direct strcmp against the blocked actions. The substring allowlist (must contain sword://, bible://, passagestudy.jsp, or xiphos.url) is kept as a fast pre-filter.

A self-contained reproducer is in poc/reproducer.c in this branch: it demonstrates that a passagestudy.jsp?action=show%53tudypad reference is accepted by the old denylist and the action decodes to showStudypad for the switch in main_url_handler.

Follow-up to #1331.

The substring denylist in ipc_object_set_current_reference() runs against
the raw reference bytes before main_url_handler parses the URL.  libsword's
URL::getParameterValue percent-decodes the action parameter, so a reference
like 'passagestudy.jsp?action=show%53tudypad' (or show%49mage for
showImage) contains no literal 'showStudypad'/'showImage' substring,
slips past the denylist, and dispatches the local-file action against
the Xiphos user.

Replace the substring denylist with a percent-decoding of the action
parameter and a direct string compare against the blocked actions.  The
substring allowlist (must contain sword://, bible://, passagestudy.jsp,
or xiphos.url) is kept as a fast pre-filter.
@karlkleinpaste karlkleinpaste merged commit 9d4167f into crosswire:master Jul 1, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants