'Re: security vulnerability in konqueror'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: security vulnerability in konqueror
From:       George Staikos <staikos () kde ! org>
Date:       2001-09-01 4:15:14
[Download RAW message or body]

On Monday 27 August 2001 17:38, Waldo Bastian wrote:

> The idea that I had was to implement a "security manager" (A singleton
> class) which needs to authorize actions that involve URLs. Something like
>
> KSecurityManager::authorizeURL(baseURL, action, newURL)
>
> "baseURL" would the URL describing the current resource and "action" would
> be something like "user-clicked-link", "http-redirect", "explicit-open",
> "resource-request-by-html" (e.g. image, css-thingy),
> "script-requested-by-html" (e.g. javascript)
>
> newURL would be the requested resource.
>
> The set of (baseURL,action) would make up the authorisation context. When
> we assign this context to a KIO::Job, the job could check, when it gets a
> redirect, authorizeURL(baseURL, "http-redirect", redirected-to-URL) but
> also authorizeURL(baseURL, action, redirected-to-URL).
>
> This way you can guarantee that an action on a protocol which wouldn't be
> allowed directly, can't be obtained by means of a URL redirection either.

   That looks like a good idea.  I think we should go with this..

> I will not have any time to implement this before KDE 2.2.1 though.
> (It probably needs some more thinking anyway, to make sure that it is
> foolproof.)

   Yeah 2.2.1 needs to ship asap from what I"ve seen, so this can wait for 
2.2.2 (hopefully we shall have such a thing.  I've been out of the loop for a 
while so I don't know what the release plan is.  I should be back at it in a 
couple of weeks.....)

> What are the exact implications of this vulnerability? A malicious html
> page can redirect the browser to another protocol, resulting in undesired
> read-access. Is it possible to publish the data that is being accessed in
> anyway beyond the applicatin that does the access? Can javascript do that?
> It might cause problems with protocols that have side-effects on
> read-access (like the brain-dead scheme used by pop3, which encodes the
> command in the URL and then does a GET for things like deleting messages)

   Well perhaps these should be fixed in 3.0 then.  I haven't really 
investigated this.  I have been away from things, and well, this is so 
obvious I figured it wasn't even worth investigating. :)

-- 

George Staikos

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic