Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent Pencil2D projects from referencing external files #1843

Merged
merged 8 commits into from
Jun 6, 2024
Merged

Prevent Pencil2D projects from referencing external files #1843

merged 8 commits into from
Jun 6, 2024

Conversation

scribblemaniac
Copy link
Member

This PR adds additional checks to the loading of bitmap/vector/sound layers so that they will not be loaded if they are outside of the data directory. This can occur with specially crafted main.xml files, or with symlinks. This closes multiple admittedly unlikely security threats in the program that can result in exfiltrating images from arbitrary locations though animations, and even duplicating arbitrary files under some circumstances. Tests have also been written for the scenarios this PR covers with the exception of symlinks (and possibly Windows shortcuts) because Qt has very bad support for symlink creation.

This also incidentally fixes an issue where an infinite loop will occur when loading a main.xml file that contains a non-element node (ex. an xml comment) in the sound layer.

@scribblemaniac scribblemaniac added this to the 0.7.0 milestone May 24, 2024
MrStevns
MrStevns reviewed May 30, 2024
View reviewed changes
Copy link
Member

@MrStevns MrStevns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was about to approve this as it looks good to me now but i noticed that you haven't made this change for the camera layer, is that intentional?

@scribblemaniac
Copy link
Member Author

I was about to approve this as it looks good to me now but i noticed that you haven't made this change for the camera layer, is that intentional?

Yes this is intentional. As far as I know, the camera layer doesn't read any data from other files (all the camera data is the in the main.xml file) so it does not need these checks.

MrStevns
MrStevns approved these changes May 30, 2024
View reviewed changes
Copy link
Member

@MrStevns MrStevns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

chchwy
chchwy reviewed Jun 4, 2024
View reviewed changes
tests/src/test_layerbitmap.cpp Outdated Show resolved Hide resolved
core_lib/src/structure/layervector.cpp Show resolved Hide resolved
core_lib/src/util/util.cpp Outdated Show resolved Hide resolved
core_lib/src/util/util.cpp Outdated Show resolved Hide resolved
@scribblemaniac scribblemaniac force-pushed the external-ref-block branch 3 times, most recently from 9f6d71f to 435aa63 Compare June 5, 2024 08:59
@chchwy chchwy self-requested a review June 6, 2024 02:03
@scribblemaniac
Copy link
Member Author

Thanks for the reviews @MrStevns and @chchwy

@scribblemaniac scribblemaniac merged commit a82bd7b into pencil2d:master Jun 6, 2024
10 checks passed
@scribblemaniac scribblemaniac deleted the external-ref-block branch June 6, 2024 21:47
@scribblemaniac scribblemaniac mentioned this pull request Jun 6, 2024
Open
33 tasks
@chchwy
Copy link
Member

chchwy commented Jun 7, 2024

All good. BTW, please use "Squash and Merge" next time. It gives a proper granularity of commits, making it clearer when reviewing the git history.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chchwy chchwy chchwy approved these changes

@MrStevns MrStevns MrStevns approved these changes

Assignees
No one assigned
Labels
Bug
Projects
Pull Request Priority
Status: Merged
Milestone
0.7.0
Development

Successfully merging this pull request may close these issues.
3 participants
@scribblemaniac @chchwy @MrStevns