[applet] Remove styled text support from list items (!5) · Merge requests · Plasma / Plasma applet for NetworkManager

Nate Graham requested to merge ngraham/plasma-nm:fix-security-issue into Plasma/5.19 Jun 19, 2020

This fixes a security regression introduced with the ExpandableListItem port which allowed styled text for the network name. Unfortunately Qt's styled text allows network access, and people could put malicious text in SSID names.

The ExpandableListItem component has no way to allow styled text for the subtitle but not the title, which is what the previous version did. However styled text in the subtitle is only being used for colorizing the arrows, which doesn't even work anymore because the colored arrows get replaced with Emojis for most people now that distros are shipping Emoji font support to make the Emoji Picker introduced in Plasma 5.18 work.

Because of this, we can fix the issue by turning off styled text support entirely, and removing the arrow colorization. There won't even be any visual changes for most people.

BUG: 423020 FIXED-IN: 5.19.2

Edited Jun 19, 2020 by Nate Graham

[applet] Remove styled text support from list items

Merge request reports