qzind / qz-print

Archive for legacy qz-print versions (1.8, 1.9). See https://github.com/qzind/tray for modern versions.
Other
141 stars 101 forks source link

setCertificatePromise bypass #139

Closed tresf closed 8 years ago

tresf commented 8 years ago

@bberenz thoughts appreciated here...

Currently with the 2.0 branch, the recommended method for setting the certificate is as follows:

qz.security.setCertificatePromise(function(resolve) {
   resolve($.ajax("path/to/digitial-certificate.txt"));
});

However, this certificate step can be bypassed completely by commenting out this block, and there's no sign to the user that the certificate wasn't provided.

/*qz.security.setCertificatePromise(function(resolve) {
   resolve($.ajax("foo/bar.txt"));
});*/

image

From a security perspective, this is relatively minor, since the privileged commands will all fail due to an invalid certificate, however there's no sign that the cert is missing and the untrusted dialog doesn't show in this scenario, which is different than the behavior in 1.9.

Note, this can also be simulated by giving a bad URL, i.e.

qz.security.setCertificatePromise(function(resolve) {
   resolve($.ajax("invalid/path.txt"));
});
akberenz commented 8 years ago

Fixed via eafcd9d4f8b2decc7b3e2c5966e3a42e1c969d95