When parsing crafted links containing bogus characters (e.g. </a ) the application displays a different link text in the chat window than is actually sent to the browser or clipboard #70
Furthermore, these bogus links may be prepended with http:// . This in turn may leak sensitive data - potentially not
anonymized with tor - through the used browser. Bug arbitrage in LinkedText.cpp : Ricochet looks for URLs in plain
chat messages with a self-made regular expression (L39) and converts these to HTML links. The link's URL is encoded
2with QT's QUrl::toEncoded() (L62) to URL-encode special chars. When the self-made regular expression and QUrl
disagree, QUrl::toEncoded() may be invoked on text it does not recognize as a URL and thus prepend http:// .
For example the URL https://supersecurewebsite.com</a turns into http://https// supersecurewebsite.com</a.
Let's just purge the 'helpful code in LinkedText.cpp and only display messages in plain text (rather than trying to make clickable URLs)
m-simonelli
commented
3 years ago
Furthermore, these bogus links may be prepended with http:// . This in turn may leak sensitive data - potentially not anonymized with tor - through the used browser. Bug arbitrage in LinkedText.cpp : Ricochet looks for URLs in plain chat messages with a self-made regular expression (L39) and converts these to HTML links. The link's URL is encoded 2with QT's QUrl::toEncoded() (L62) to URL-encode special chars. When the self-made regular expression and QUrl disagree, QUrl::toEncoded() may be invoked on text it does not recognize as a URL and thus prepend http:// .
For example the URL
https://supersecurewebsite.com</aturns intohttp://https// supersecurewebsite.com</a.Let's just purge the 'helpful code in LinkedText.cpp and only display messages in plain text (rather than trying to make clickable URLs)