[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Patch: konqueror form attacks
From:       Waldo Bastian <bastian () kde ! org>
Date:       2001-09-03 18:21:21
[Download RAW message or body]

On Monday 03 September 2001 04:53 am, Matthias Hoelzer-Kluepfel wrote:
> Hi,
>
> here is the patch I promised to do to prevent HTML form attacks in
> konqueror. What the patch does is to block http post actions to some known
> ports that you don't want to be the receiver of post actions. The list of
> ports is the one from netscape (according to Dirk), with some ports added
> per advice of our security guru (imap/SSL, pop3/SSL, ftps, telnets and
> irc).
>
> Please review the patch.

Netscape also blocks GET actions in addition to POST.

I'm not in favour of adding a messagebox, as the comment says "it's either a 
dirty hack or a security problem". I don't see a reason to support either of 
them. Besides it will not be tranlated in time.

As far as "mailto:" requests go, "mailto" is not a protocol in the sense of 
KIO, so such URLs should never end up in http_post(). http_post should _ONLY_ 
be called with http or https URLs since only the http and https KIO-protocols 
support the POST action. The assert is there to make that sure. Calling it 
with any other URL is a software error, it's not a runtime error because the 
calling function should have checked that already.

Cheers,
Waldo
-- 
KDE 2.2: We deliver.

[prev in list] [next in list] [prev in thread] [next in thread]