Possible UI injection through sent/received filename's
Bug description
On sending a file to gajim named "><input> I got the following error printed in my console:
/usr/share/gajim/src/roster_window.py:4654: Warning: g_object_set_qdata: assertion G_IS_OBJECT (object)' failed if not model[titer][data]: /usr/share/gajim/src/roster_window.py:4709: Warning: g_object_set_qdata: assertion
G_IS_OBJECT (object)' failed
if type_ == 'account' and model[titer][C_PADLOCK_PIXBUF]:
/usr/share/gajim/src/roster_window.py:6107: Warning: g_object_set_qdata: assertion G_IS_OBJECT (object)' failed self.window.show_all() gajim.py:422: Warning: g_object_set_qdata: assertion
G_IS_OBJECT (object)' failed
gtk.main()
/usr/share/gajim/src/roster_window.py:4681: Warning: g_object_set_qdata: assertion G_IS_OBJECT (object)' failed if model[titer][C_AVATAR_PIXBUF] or \ gajim.py:422: GtkWarning: Unable to retrieve the file info for
file:///home/kvm/xlol.svg': Error stating file '/home/kvm/xlol.svg': No such file or directory
gtk.main()
/usr/share/gajim/src/dialogs.py:1304: GtkWarning: Failed to set text from markup due to error parsing markup: Error on line 4 char 38: Element 'markup' was closed, but the currently open element is 'input'
self.format_secondary_markup(sectext)
/usr/share/gajim/src/filetransfers_window.py:212: GtkWarning: Failed to set text from markup due to error parsing markup: Error on line 4 char 38: Element 'markup' was closed, but the currently open element is 'input'
dialog.show_all()
/usr/share/gajim/src/conversation_textview.py:1064: Warning: g_object_set_qdata: assertion `G_IS_OBJECT (object)' failed
self.tv.add_child_at_anchor(img, anchor)
Therefore I think it maybe be possible to inject layout xml through received file-names. However, I am not certain of this :-)