Skip to content

(#996): Fix arbitrary file read when href has special characters

In UrlResolver::resolve_href() we now explicitly disallow URLs that have a query string ("?") or a fragment identifier ("#").

We also explicitly check for a base URL and not resolving to a path, for example, "file:///base/foo.svg" + "." would resolve to "file:///base/" - this is technically correct, but we don't want to resolve to directories.

Also, we pass a canonicalized path name as a URL upstream, so that g_file_new_from_url() will consume it later, instead of passing the original and potentially malicious URL.

Fixes #996 (closed)

Merge request reports