#3591 security: apply some fixes

pbek · pbek · commit b45ad2a90035 · 2026-05-01T13:04:58.000+02:00
Signed-off-by: Patrizio Bekerle &lt;patrizio@bekerle.com&gt;
diff --git a/src/dialogs/linkdialog.cpp b/src/dialogs/linkdialog.cpp
@@ -220,7 +220,7 @@ QString LinkDialog::getURL() const {
 
     if (!url.isEmpty() && !url.contains(QStringLiteral("://")) &&
         !url.startsWith(QStringLiteral("./"))) {
-        url = QStringLiteral("http://") + url;
+        url = QStringLiteral("https://") + url;
     }
 
     return url;
diff --git a/src/dialogs/updatedialog.cpp b/src/dialogs/updatedialog.cpp
@@ -433,12 +433,13 @@ bool UpdateDialog::initializeMacOSUpdateProcess(const QString &releaseUrl) {
         return false;
     }
 
+    // Set restrictive permissions before writing content to prevent other users
+    // from reading or replacing the script between creation and execution
+    tempFile->setPermissions(QFile::ExeOwner | QFile::ReadOwner | QFile::WriteOwner);
+
     // write the script content
     tempFile->write(scriptContent.toLatin1());
 
-    // setting executable permissions to the updater script
-    tempFile->setPermissions(QFile::ExeUser | QFile::ReadUser | QFile::WriteUser);
-
     // file->fileName() only holds a value after file->open()
     QString updaterFilePath = tempFile->fileName();
     tempFile->close();
diff --git a/src/libraries/fakevim/fakevim/fakevimhandler.cpp b/src/libraries/fakevim/fakevim/fakevimhandler.cpp
@@ -888,20 +888,28 @@ static QString fromLocalEncoding(const QByteArray &data) {
 }
 
 static QString getProcessOutput(const QString &command, const QString &input) {
-    // ensure the executable exists in some standard path and isn't random
-    const auto fullCmdPath = QStandardPaths::findExecutable(command);
-    if (fullCmdPath.isEmpty()) {
-        return {};
-    }
-
     QProcess proc;
 #if QT_VERSION >= QT_VERSION_CHECK(5, 15, 0)
     QStringList arguments = QProcess::splitCommand(command);
-    QString executable = arguments.takeFirst();
-    proc.start(executable, arguments);
+    if (arguments.isEmpty()) {
+        return {};
+    }
+    const QString executable = arguments.takeFirst();
 #else
-    proc.start(command);
+    // On Qt < 5.15, manually split on whitespace to avoid shell interpretation
+    QStringList arguments = command.split(QLatin1Char(' '), Qt::SkipEmptyParts);
+    if (arguments.isEmpty()) {
+        return {};
+    }
+    const QString executable = arguments.takeFirst();
 #endif
+    // Ensure the executable exists in some standard path and isn't random
+    const auto fullCmdPath = QStandardPaths::findExecutable(executable);
+    if (fullCmdPath.isEmpty()) {
+        return {};
+    }
+
+    proc.start(fullCmdPath, arguments);
     proc.waitForStarted();
     proc.write(toLocalEncoding(input));
     proc.closeWriteChannel();
diff --git a/src/libraries/qmarkdowntextedit b/src/libraries/qmarkdowntextedit
@@ -1 +1 @@
-Subproject commit 8fdeac4497c120534cd235e97c56940e2780cade
+Subproject commit b0b81698e7b5c824e9bad181b1dac650936d01c3
diff --git a/src/services/databaseservice.cpp b/src/services/databaseservice.cpp
@@ -1056,6 +1056,17 @@ bool DatabaseService::mergeNoteFolderDatabase(const QString& path) {
  */
 QByteArray DatabaseService::generateDatabaseTableSha1Signature(QSqlDatabase& db,
                                                                const QString& table) {
+    // Whitelist of valid table names to prevent SQL injection via table name concatenation
+    static const QStringList validTables = {
+        QStringLiteral("note"),         QStringLiteral("noteSubFolder"), QStringLiteral("tag"),
+        QStringLiteral("noteTagLink"),  QStringLiteral("noteFolder"),    QStringLiteral("bookmark"),
+        QStringLiteral("calendarItem"),
+    };
+    if (!validTables.contains(table)) {
+        qCritical() << __func__ << ": invalid table name rejected:" << table;
+        return QByteArray();
+    }
+
     QCryptographicHash hash(QCryptographicHash::Sha1);
     QSqlQuery query(db);
     query.prepare(QStringLiteral("SELECT * FROM ") + table);
diff --git a/src/services/mcpservice.cpp b/src/services/mcpservice.cpp
@@ -197,7 +197,7 @@ void McpService::sendHttpResponse(QTcpSocket *socket, int statusCode, const QByt
                                "HTTP/1.1 %1 %2\r\n"
                                "Content-Type: %3\r\n"
                                "Content-Length: %4\r\n"
-                               "Access-Control-Allow-Origin: *\r\n"
+                               "Access-Control-Allow-Origin: http://localhost\r\n"
                                "Access-Control-Allow-Methods: GET, POST, OPTIONS\r\n"
                                "Access-Control-Allow-Headers: Content-Type, Authorization\r\n"
                                "Cache-Control: no-store\r\n"
@@ -214,7 +214,7 @@ void McpService::sendHttpResponse(QTcpSocket *socket, int statusCode, const QByt
 void McpService::sendCorsHeaders(QTcpSocket *socket) {
     const QByteArray response =
         "HTTP/1.1 204 No Content\r\n"
-        "Access-Control-Allow-Origin: *\r\n"
+        "Access-Control-Allow-Origin: http://localhost\r\n"
         "Access-Control-Allow-Methods: GET, POST, OPTIONS\r\n"
         "Access-Control-Allow-Headers: Content-Type, Authorization\r\n"
         "Access-Control-Max-Age: 86400\r\n"
@@ -243,7 +243,7 @@ void McpService::openSseStream(QTcpSocket *socket) {
         "HTTP/1.1 200 OK\r\n"
         "Content-Type: text/event-stream\r\n"
         "Cache-Control: no-cache\r\n"
-        "Access-Control-Allow-Origin: *\r\n"
+        "Access-Control-Allow-Origin: http://localhost\r\n"
         "Connection: keep-alive\r\n"
         "\r\n";
 
diff --git a/src/services/owncloudservice.cpp b/src/services/owncloudservice.cpp
@@ -600,7 +600,8 @@ void OwnCloudService::startAppVersionTest() {
  */
 void OwnCloudService::ignoreSslErrorsIfAllowed(QNetworkReply *reply) {
     SettingsService settings;
-    if (settings.value(QStringLiteral("networking/ignoreSSLErrors"), true).toBool()) {
+    // Default to false to prevent MITM attacks on fresh installs
+    if (settings.value(QStringLiteral("networking/ignoreSSLErrors"), false).toBool()) {
         QObject::connect(reply, SIGNAL(sslErrors(QList<QSslError>)), reply,
                          SLOT(ignoreSslErrors()));
     }
@@ -988,7 +989,8 @@ void OwnCloudService::restoreTrashedNoteOnServer(const QString &fileName, int ti
     q.addQueryItem(QStringLiteral("timestamp"), QString::number(timestamp));
     url.setQuery(q);
 
-    qDebug() << url;
+    // Do not log the URL here — it contains the plaintext password
+    qDebug() << __func__ << "- restoring trashed note:" << fileName;
 
     QNetworkRequest r(url);
     addAuthHeader(&r);
diff --git a/src/utils/gui.cpp b/src/utils/gui.cpp
@@ -1365,16 +1365,24 @@ bool Utils::Gui::doLinuxDarkModeCheck() {
     //                    QStringLiteral("string:'org.freedesktop.appearance'
     //                    string:'color-scheme'");
 
+    // Use dbus-send directly instead of /bin/sh -c to avoid shell interpretation
+    const QString dbusExecutable = QStandardPaths::findExecutable(QStringLiteral("dbus-send"));
+    if (dbusExecutable.isEmpty()) {
+        qWarning() << __func__ << " - 'dbus-send' not found, doLinuxDarkModeCheck returned false";
+        return false;
+    }
+
     auto parameters = QStringList()
-                      << "-c"
-                      << "dbus-send --session --print-reply=literal --reply-timeout=1000 "
-                         "--dest=org.freedesktop.portal.Desktop /org/freedesktop/portal/desktop "
-                         "org.freedesktop.portal.Settings.Read string:'org.freedesktop.appearance' "
-                         "string:'color-scheme'";
+                      << QStringLiteral("--session") << QStringLiteral("--print-reply=literal")
+                      << QStringLiteral("--reply-timeout=1000")
+                      << QStringLiteral("--dest=org.freedesktop.portal.Desktop")
+                      << QStringLiteral("/org/freedesktop/portal/desktop")
+                      << QStringLiteral("org.freedesktop.portal.Settings.Read")
+                      << QStringLiteral("string:org.freedesktop.appearance")
+                      << QStringLiteral("string:color-scheme");
 
     QProcess process;
-    //    process.start(QStringLiteral("dbus-send"), parameters);
-    process.start(QStringLiteral("/bin/sh"), parameters);
+    process.start(dbusExecutable, parameters);
 
     if (!process.waitForStarted()) {
         qWarning() << __func__ << " - 'doLinuxDarkModeCheck' returned false";
diff --git a/src/widgets/settings/networksettingswidget.cpp b/src/widgets/settings/networksettingswidget.cpp
@@ -46,8 +46,9 @@ void NetworkSettingsWidget::readSettings() {
     ui->appHeartbeatCheckBox->setChecked(
         settings.value(QStringLiteral("appMetrics/disableAppHeartbeat")).toBool());
 
+    // Default to false to prevent MITM attacks on fresh installs
     bool ignoreSSLErrors =
-        settings.value(QStringLiteral("networking/ignoreSSLErrors"), true).toBool();
+        settings.value(QStringLiteral("networking/ignoreSSLErrors"), false).toBool();
     ui->ignoreSSLErrorsCheckBox->setChecked(ignoreSSLErrors);
     ui->letsEncryptInfoLabel->setVisible(ignoreSSLErrors);
 

Original file line number	Diff line number	Diff line change
`@@ -220,7 +220,7 @@ QString LinkDialog::getURL() const {`
`220`	`220`
`221`	`221`	`if (!url.isEmpty() && !url.contains(QStringLiteral("://")) &&`
`222`	`222`	`!url.startsWith(QStringLiteral("./"))) {`
`223`		`- url = QStringLiteral("http://") + url;`
	`223`	`+ url = QStringLiteral("https://") + url;`
`224`	`224`	`}`
`225`	`225`
`226`	`226`	`return url;`