[Pkg-geany-team] Bug#987189: Connects to the net to render images

Christoph Biedl debian.axhn at manchmal.in-ulm.de
Mon Apr 19 12:50:28 BST 2021 

Package: geany-plugin-markdown
Version: 1.37+dfsg-6
Severity: important

Dear maintainer,

when rendering external references, see example below, the markdown
plugin happily connects to the network to fetch that ressource. I
consider this a privacy issue, also that might result in different
appearence in different places, and if things go horribly wrong, remote
code execution via malicious content.

How to repeat:

Enter the following text in a document named .md:

    ![debian](https://www.debian.org/Pics/debian-logo-1024x576.png)

Check the "Markdown Preview"

Expected: A placeholder, possibly a warning about external references
and an option to resolve them. Possibly somewhat like the Thunderbird
mail client does.

Got: The Debian logo as received from that website.

There should be a configuration item that controls the behaviour of
fetching external content. If it already exists, it is well hidden. And
the default should be to *not* fetch data.

Regards,

    Christoph

-- System Information:
Debian Release: 11.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-geany-team/attachments/20210419/dfcd72ca/attachment.sig>

More information about the Pkg-geany-team mailing list