Built, packaged and signed with ricochet-build tag 3.0.27-build1
This release fixes a security issue (#195) identified by @s-rah.
This issue would allow a malicious contact to attempt to send a file containing HTML in its filename. This HTML would be inserted directly into the file-transfer message element in the Ricochet-Refresh chat panel, and rendered as 'richt-text'. This only allowed rendering a subset of HTML4 ( https://doc.qt.io/qt-6/richtext-html-subset.html ) and would not have allowed running of arbitrary JavaScript. In principle, a clever adversary could generate convincing UI to trick the user into performing unsafe actions outside the application (e.g. direct the user to visit a malicious domain).
Filenames are now rendered as plain-text rather than allowing Qt to render as HTML (e.g. <a href="https://example.com">foobar rather than foobar):
Thanks again to @s-rah for identifying and reporting this issue! 👋
Changelog
All Platforms
- Fixed #195