11:15:26 -xmr-pr- rating89us opened pull request #2903: Wallet: add isTrezor() function
11:15:27 -xmr-pr- > https://github.com/monero-project/monero-gui/pull/2903
13:00:27 -xmr-pr- rating89us opened pull request #2904: StandardDialog: new design
13:00:27 -xmr-pr- > https://github.com/monero-project/monero-gui/pull/2904
13:37:27 <selsta> .merge+ #2896 #2894 #2896 #2897 #2899 #2901 #2903
13:37:27 <xmr-pr> Added
14:45:27 -xmr-pr- xiphon opened pull request #2906: cmake: rename monero-gui binary to monero-wallet-gui
14:45:27 -xmr-pr- > https://github.com/monero-project/monero-gui/pull/2906
14:45:27 -xmr-pr- xiphon opened pull request #2905: cmake: drop '-std=c++0x' compiler flag
14:45:27 -xmr-pr- > https://github.com/monero-project/monero-gui/pull/2905
17:11:42 <selsta> .merge+ #2905 #2906
17:11:42 <xmr-pr> Added
20:57:31 <sarang> I assume this channel has seen this issue? https://github.com/monero-project/monero-gui/issues/2902
21:07:28 <selsta> I have not.
21:10:10 <sarang> Ah ok
21:10:14 <sarang> Well. There it is
21:10:36 <sarang> Was reported (not via responsible disclosure) via twitter
21:10:43 <sarang> Someone else posted as an issue
21:30:38 <selsta> Looks like the fix she suggested is deprecated in Qt 5.15 and I can’t find a different method to disable this.
21:30:58 <selsta> I’ll let xiphon take a look at this.
21:31:49 <sarang> Worth mentioning to her on twitter? (I do not have an account, and do not want one)
21:32:09 <sarang> It would show that the maintainers are aware of the issue now
21:48:03 <selsta> I commented on Twitter.
21:52:26 <sarang> Link?
21:58:03 <selsta> https://twitter.com/selsta541/status/1260685096492978176
21:59:15 <sarang> ty
21:59:25 <sarang> Does it seem like a problem in practice?
21:59:29 <xiphon> sarang: i wouldn't say is a big issue (as big as it is promoted in the twitter post)
21:59:37 <xiphon> no, it does seem like a bs to me
21:59:58 <sarang> Too bad that the twitter poster feels responsible disclosure is not worth it
22:00:00 <xiphon> although we can and probably will "fix" it (just in case)
22:00:06 <sarang> (I wholeheartedly disagree with her mentality on this)
22:00:33 <xiphon> i still don't agree that it is a big issue
22:00:45 <sarang> She does say that it's unlikely to be remotely exploitable
22:00:52 <xiphon> to do this, a user might explicitly want to "inject" some html code where it is not intended to be
22:00:53 <sarang> but even so
22:01:08 <xiphon> sure, it is unlikely to be exploitable by anyone
22:01:55 <selsta> Electrum had problems were nodes were able to send html responses which resulted in fake update client dialogs
22:02:02 <selsta> but I don’t think this is possible here
22:04:09 <xiphon> i still would say that it is not a vulnerability at all
22:04:36 <xiphon> it is like a user entering "rm -rf" in the console
22:05:01 <sarang> Perhaps a comment on the github issue would also be helpful
22:05:37 <xiphon> but is a bug, though. So we probably could sanitize a user's input
22:05:46 <selsta> I think her Twitter post was more general and someone asked if this is possible with monero GUI, it didn’t seem like a vulnerability disclosure to me
22:05:48 <xiphon> just in case the user want to do something really dumb
22:06:22 <sarang> selsta: perhaps, but the thread basically indicated that she didn't intent to responsibly disclose future flaws
22:06:33 <sarang> a mentality that I think is reckless and unprofessional
22:06:42 <sarang> but that is unrelated to this particular issue
22:12:38 <selsta> sarang: read up on her previous tweets now, agree with you
22:12:43 <moneromooo> The "I'm an asshole, look at me" mentality is prevalent among those who style themselves security researchers (no idea about this particular case). The apparent glory attracts that type of people.
22:13:14 <sarang> I don't doubt that this researcher knows her stuff, FWIW
22:13:40 <sarang> I just disagree with the conclusion that because some projects/companies don't respond well to disclosures, that responsible disclosure isn't still the right thing to do
22:14:17 <sarang> But again, that's somewhat separate from this particular issue
22:14:20 <moneromooo> "Some dude laughed at me when I said please, I won't say please to anyone ever again"
22:14:58 <moneromooo> Granted, it's satisfying on the spot.
22:16:02 * moneromooo feels a sudden urge to be an asshole to someone...
22:18:34 <sarang> nooo
23:37:36 <dsc_> been aware of QMLs behaviour on this for quite a while, I committed this on Dec 12 2018; https://github.com/monero-project/monero-gui/commit/fe6ce682bfd03b09b035f68944225a18b45e9873
23:39:13 <dsc_> AFAIK. QML's default text component is RichText which automagically resolves, for example, <img> tags. This can be problematic with user-input. The attack that I came up with: 1) Create a wallet 2) Create a new contact 3) You give it a name with some HTML in it (had to use some modified monero-core code for this 4) It saves to wallet cache. 5) You send your wallet + wallet cache to victim 6) Victim opens 
23:39:19 <dsc_> wallet in GUI which will ping back to you upon rendering. 7) You have his IP (h0h0h0)
23:39:38 <dsc_> I think we also discussed this around Dec 12 2018, specifically how Qt automagically resolves HTML tags in richtext components. Then 1.5 weeks later we get this: https://www.zdnet.com/article/users-report-losing-bitcoin-in-clever-hack-of-electrum-wallets/
23:39:52 <dsc_> My conspiracy theory is that someone here read that.
23:40:04 <dsc_> <8')
23:58:47 <selsta> dsc_: lol https://usercontent.irccloud-cdn.com/file/8a72UzHT/Screenshot%202020-05-14%20at%2001.58.32.png
23:59:12 <dsc_> hahaha
23:59:31 <dsc_> but like xiphon mentioned, no way to trigger this remotely
23:59:38 <dsc_> so its not really a vuln
23:59:48 <dsc_> but we have to be careful on where we place RichTexts