[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: [RFC] Security and Features in KPDF
From: Ingo =?utf-8?q?Kl=C3=B6cker?= <kloecker () kde ! org>
Date: 2005-01-03 18:55:36
Message-ID: 200501031955.37977 () erwin ! ingo-kloecker ! de
[Download RAW message or body]
On Monday 03 January 2005 01:29, Malte S. Stretz wrote:
> On Monday 03 January 2005 01:08 CET Ingo Klöcker wrote:
> > On Monday 03 January 2005 00:19, Tobias Koenig wrote:
> > > But
> > > that's the same case as when the user clicks on an unknown email
> > > attachment. Do we forbid email attachments for this reason?
> >
> > That's nonsense. Clicking on an unknown email attachment in KMail
> > does never result in 'rm -Rf /' or similarly dangerous commands
> > being executed. [...]
>
> What about HTML? Ok, maybe there's no rm -rf possible, but why isn't
> in PDFs everything allowed which is in HTML? Ok, maybe not
> erverything (like JavaScript which is AFAIK possible with Acrobat 6
> though), but at least every link?
>
> That way one (aka Tobias) could put a script or whatever at a well
> know place and put a file-URL to that place into his PDF file. A
> click executes, after a dialog of course. Ok, that would still give
> the user enough rope to hang himself, but hey, how would that be less
> secure than the attached HTML file? (Have you noted that the focus
> is on the "Execute" button btw?)
Shocking. I didn't knew that Konqueror will ask whether fortune (or any
other app) should be executed. Indeed there's not much difference to
what Tobias proposed for kpdf.
Regards,
Ingo
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic