github blueprint-freespeech/ricochet-refresh v3.0.27-release

latest releases: v3.0.29-release, v3.0.28-release
3 months ago

Built, packaged and signed with ricochet-build tag 3.0.27-build1

This release fixes a security issue (#195) identified by @s-rah.

This issue would allow a malicious contact to attempt to send a file containing HTML in its filename. This HTML would be inserted directly into the file-transfer message element in the Ricochet-Refresh chat panel, and rendered as 'richt-text'. This only allowed rendering a subset of HTML4 ( https://doc.qt.io/qt-6/richtext-html-subset.html ) and would not have allowed running of arbitrary JavaScript. In principle, a clever adversary could generate convincing UI to trick the user into performing unsafe actions outside the application (e.g. direct the user to visit a malicious domain).

Filenames are now rendered as plain-text rather than allowing Qt to render as HTML (e.g. <a href="https://example.com">foobar rather than foobar):

image

Thanks again to @s-rah for identifying and reporting this issue! 👋

Changelog

All Platforms

Don't miss a new ricochet-refresh release

NewReleases is sending notifications on new releases.