[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Patch: konqueror form attacks
From:       Martijn Klingens <mklingens () yahoo ! com>
Date:       2001-09-03 18:59:19
[Download RAW message or body]

On Monday 03 September 2001 20:44, Bernhard Rosenkraenzer wrote:
> On Mon, 3 Sep 2001, Thomas Zander wrote:
> > I do have cups, and it runs a webserver on port 631, this works fine.
> > Does this mean I can't control my jobs anymore from konq?
> >
> > i.e.: http://www.cups.thomas.net:631/jobs?which_jobs=completed
>
> That will still work, however:
>
> <form method=post action="http://www.cups.thomas.net:631/jobs">
> Jobs type: <input type=text name="which_jobs">
> <input type=submit>
> </form>
>
> This one won't (unless you use the message box patch I've sent to the
> list earlier), and I expect it's usually called using something like
> that.

In these cases the page that contains the form is usually (if not always) on 
the same port. So the form tries to post to the same server and the same port 
it itself is loaded from. Maybe we could check for this and only allow 
posting to strange ports if this requirement is met?

Or would that still be too strict?

Martijn

[prev in list] [next in list] [prev in thread] [next in thread]