runOnVIDThread method calls a native code library at line 123 of Quelea-
master/Quelea/src/main/java/org/quelea/windows/multimedia/MacVideo.java, passing it
sanitisedPath as a parameter. However, this parameter is based on user input getText, which
flows through the system without validation, after entering the system in getTheme at line 423
of Quelea-master/Quelea/src/main/java/org/quelea/windows/newsong/ThemeToolbar.java. This
could enable an attacker to bypass security mechanisms and exploit a vulnerability in the native
code.
Recommendations :
Avoid using native libraries, if at all possible.
Rearchitect the application to enable required functionality to be developed using safer Java APIs, instead of native code.
Do not use JNI calls to an untrusted native library. Explicitly review the native code in depth for potential security flaws and incongruent developer expectations.
Perform data validation on all input before passing to a JNI function call, as appropriate to the specific parameter context; perform validation on any result returned by the function.
Implement error handling around the JNI call, to catch any exceptions that may be caused by the native code. #
commit : https://github.com/quelea-projection/Quelea/commit/7d8c235c4270d56389a9ccd95ad44e75c100e90a#diff-bd66c6f15a6083331abcae3625541567a83531e39bc44bd56c04c1e560a028d8
runOnVIDThread method calls a native code library at line 123 of Quelea- master/Quelea/src/main/java/org/quelea/windows/multimedia/MacVideo.java, passing it sanitisedPath as a parameter. However, this parameter is based on user input getText, which flows through the system without validation, after entering the system in getTheme at line 423 of Quelea-master/Quelea/src/main/java/org/quelea/windows/newsong/ThemeToolbar.java. This could enable an attacker to bypass security mechanisms and exploit a vulnerability in the native code.
Recommendations :