[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: Patch: konqueror form attacks
From: Waldo Bastian <bastian () kde ! org>
Date: 2001-09-03 18:21:21
[Download RAW message or body]
On Monday 03 September 2001 04:53 am, Matthias Hoelzer-Kluepfel wrote:
> Hi,
>
> here is the patch I promised to do to prevent HTML form attacks in
> konqueror. What the patch does is to block http post actions to some known
> ports that you don't want to be the receiver of post actions. The list of
> ports is the one from netscape (according to Dirk), with some ports added
> per advice of our security guru (imap/SSL, pop3/SSL, ftps, telnets and
> irc).
>
> Please review the patch.
Netscape also blocks GET actions in addition to POST.
I'm not in favour of adding a messagebox, as the comment says "it's either a
dirty hack or a security problem". I don't see a reason to support either of
them. Besides it will not be tranlated in time.
As far as "mailto:" requests go, "mailto" is not a protocol in the sense of
KIO, so such URLs should never end up in http_post(). http_post should _ONLY_
be called with http or https URLs since only the http and https KIO-protocols
support the POST action. The assert is there to make that sure. Calling it
with any other URL is a software error, it's not a runtime error because the
calling function should have checked that already.
Cheers,
Waldo
--
KDE 2.2: We deliver.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic