[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Patch: konqueror form attacks
From:       Matthias Hoelzer-Kluepfel <mhk () caldera ! de>
Date:       2001-09-03 14:10:15
[Download RAW message or body]

On Monday 03 September 2001 14:51, Bernhard Rosenkraenzer wrote:
> On Mon, 3 Sep 2001, Matthias Hoelzer-Kluepfel wrote:
> > here is the patch I promised to do to prevent HTML form attacks in
> > konqueror.
>
> I'd prefer having an extension in there: Since some of the redirections
> might actually be legit (there's no reason a server couldn't be running a
> special web server on, say, port 631 if it doesn't have cups) and even
> some <form action="mailto:autoprocess@foo.com?subject=webform+1"> stuff is
> legit, I'd rather ask the user before saying permission denied.

Sounds reasonable. One problem, however, is that with your modification, the 
user can allow to use protocols other than http and https. This is blocked in 
konqueror, currently, but maybe we should still disallow it at this place.
What do you think?

Bye,
Matthias.

[prev in list] [next in list] [prev in thread] [next in thread]