Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inline images with invalid HTTPS certs cause error that prevents use of stream #4726

Closed
WesleyAC opened this issue May 6, 2021 · 6 comments
Closed

Inline images with invalid HTTPS certs cause error that prevents use of stream #4726

WesleyAC opened this issue May 6, 2021 · 6 comments
Labels
a-Android bug P1 high-priority

Comments

@WesleyAC
Copy link
Contributor

WesleyAC commented May 6, 2021
edited

Loading a inline image with a invalid HTTPS cert causes the following:

Screenshot_20210506-162731

While this doesn't appear to have ever happened in the wild in Sentry (???), and changes in Camo in 4.0 will make it impossible for people to construct messages like this in the future, we should still fix it for the sake of being able to view existing messages.

#integrations > create svg will repro this.

(marking a-Android, since I don't think this would affect iOS, and P1 since it's a DoS vector on pre-6b7a3fb74 servers.)
@chrisbobbe
Copy link
Contributor

chrisbobbe commented May 6, 2021
edited

I know of two other issues that seem like probably the same thing: #4337, #4691. (I'm getting caught up on things from last week's call, so I don't think I'll have time to deduplicate just now; there's some discussion to read through.)

@elopez elopez mentioned this issue May 30, 2021
Closed
@timabbott
Copy link
Sponsor Member

Just updating this thread that we apparently have a similar bug in the desktop app (zulip/zulip-desktop#1119), and that we should still consider this important since (1) Camo doesn't run in docker-zulip, so a lot of 4.0 servers are still affected and (2) inability to read old content before the Camo changes is important in its own right.

@WesleyAC
Copy link
Contributor Author

This was fixed upstream react-native-webview/react-native-webview#1466, which we pulled in in 945848d. Closing.

This was referenced Jun 21, 2021
Closed
Closed
@chrisbobbe
Copy link
Contributor

chrisbobbe commented Jun 22, 2021
edited

This was fixed upstream react-native-webview/react-native-webview#1466, which we pulled in in 945848d. Closing.

Hmm, are you sure this has been fixed? Your screenshot at the top of the issue was from 2021-05-06, and the release containing 945848d, v27.155, went out on 2020-09-23.

@WesleyAC
Copy link
Contributor Author

Ah, makes sense. I'm pretty sure it's been fixed, since editing the HTML-creation code to add <img src="https://expired.badssl.com/test.png"> to the output HTML rendered just fine (as a broken image). I wasn't able to reproduce this, so I went looking for an upstream fix and found react-native-webview/react-native-webview#1466, which did fix it. I got 945848d from git blame on package.json, but I think we actually got it in a yarn.lock update, likely 78a7763.

Thanks for catching that!

@chrisbobbe
Copy link
Contributor

I think we actually got it in a yarn.lock update, likely 78a7763

Great, thanks for that investigation! Indeed, the react-native-webview PR says "This PR is included in version 10.9.3", and we went from 10.8.3 to 10.10.2 in that commit (link to changed lines in yarn.lock).

gnprice added a commit that referenced this issue Jul 19, 2021
@gnprice
changelog: Note #4726 was fixed in v27.164.
c8f52a5 
As we determined in the issue thread.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
a-Android bug P1 high-priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timabbott @WesleyAC @chrisbobbe