Local file html injection GUI vulnerability

[programmingzor]

Retroshare GUI can be forced with specific messages to load local files from the hard disk on the targets computer.

Reproducing the bug: step 1: Create a html file:

<html>
<body>
<img src='/tmp/test.jpg'>
</body>
</html>

tmp/test.jpg is the payload.

step 2: open this file in chromium, crtl a + ctr+c

step 3: copy the contents to a retro share chat, and send it.

The image is seemingly blocked from loading, it will display a blank image with an x logo.

However, if you go to browse message history, the file loads, and the image is going to be displayed. This vulnerability could open serious attack vectors, and must to be closed.

(and please reconsider if this software REALLY needs html to display stuff, its just basically an easy attack vector)

[hunbernd]

Fix: https://github.com/RetroShare/RetroShare/pull/2460

[csoler]

IMHO we should get rid of HTML asap and only use some kind of markup language that allows a very limited set of features, then only convert to HTML when sending to Qt for an appropriate display.

[hunbernd]

We have had markup for chat already, but nobody turns is on at compile time, except me.