Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #4739: Backport "FIX(client): Only allow "http"/"h…
…ttps" for URLs in ConnectDialog" Our public server list registration script doesn't have an URL scheme whitelist for the website field. Turns out a malicious server can register itself with a dangerous URL in an attempt to attack a user's machine. User interaction is required, as the URL has to be opened by right-clicking on the server entry and clicking on "Open Webpage". This commit introduces a client-side whitelist, which only allows "http" and "https" schemes. We will also implement it in our public list. In future we should probably add a warning QMessageBox informing the user that there's no guarantee the URL is safe (regardless of the scheme). Thanks a lot to https://positive.security for reporting the RCE vulnerability to us privately. This is a backport of #4733
- Loading branch information