|
Okay,
I have just pushed an experimental fix that should help protect against bad file: based urls coming from a maliciously crafted epub/javascript.
It sets a QWebEngineUrlRequestUnterceptor in main.cpp that will examine every requestedURL and if it uses the file: scheme, it will only allow it if it points into one of the following 3 folders:
- the current epub main folder
- the mathjax main folder
- the user's Sigil preferences location
Any other file: destination will be blocked.
I have kept it as simple as possible and enabled a bunch of debug information.
I have no idea if it will work on Windows (due to file separator concerns) and Linux but there should be enough info in the debug output to help track down and fix any issues.
So if anyone has access to a Windows build or a Linux build, I would appreciate the feedback, especially for Qt 5.12.x and Qt 5.15.
Note: This fix depends on setting access to local file content to true (ie includes DiapDealer's fix for this issue).
|