[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: Expanded registrations for KOffice mime types
From: Thomas Zander <zander () planescape ! com>
Date: 2002-05-24 16:36:46
[Download RAW message or body]
On Fri, May 24, 2002 at 12:54:18AM +0200, Marc Mutz wrote:
> On Thursday 23 May 2002 23:42, Nicolas Goutte wrote:
> > "ZIP archives, XML files and supported image files"
> >
> > Do WMF (Windows Meta Files) count as images too? What is the security
> > status of those?
> >
> > As far as I know, KPresenter is prepared to have sound files. This
> > should perhaps be noted too, shouldn't it?
...
> Hmm, of course. There opens a can of worms:
> What about e.g. SVG images with embedded JavaScript? How do you want to
> handle those? Allow it? Ignore the JavaScript? Strip it off before
> including it in the KApp document?
>
> More generally: Is there a KOffice policy regarding external content
> that may have embedded active content? (PostScript is known to be able
> to do nasty things like IIRC accessing the local file system when
> interpreted)
>
> Marc
svg/eps/wml etc are all embedded in the document (but that is optional to
begin with). The document that uses the mime-type is a zip; so basically
you can include any executable/shell script virus in there as you want.
The statement that it does not introduce extra security concerns it therefor
complete.
For the people that are afraid that I am sidestepping the problem with that;
on the question of using any scripts or other possible virii like code in the
archive we keep and always will have the statement that we believe in seperation
of document-data and executable-data. We will never allow something to be
executed when it (or its container) is marked as document data.
Cheers!
--
Thomas Zander zander@planescape.com
We are what we pretend to be
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic