[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: KDE 2.2.1: Ready to roll?
From:       Waldo Bastian <bastian () kde ! org>
Date:       2001-09-03 22:07:01
[Download RAW message or body]

On Sunday 02 September 2001 11:18 pm, Waldo Bastian wrote:
> *) Security: Access of "unexpected" protocols like "cdrom:" or "pop3:"
> should be restricted. Any plans to fix this?

The following patch should be a start by disabling redirection from http[s] 
to anything else than http[s] or ftp.

Please review.

Cheers,
Waldo
-- 
KDE 2.2: We deliver.

["http_redirect.diff" (text/x-diff)]

Index: http.cc
===================================================================
RCS file: /home/kde/kdelibs/kio/http/http.cc,v
retrieving revision 1.391
diff -u -3 -d -p -r1.391 http.cc
--- http.cc	2001/08/09 01:18:01	1.391
+++ http.cc	2001/09/03 21:54:48
@@ -1544,9 +1544,15 @@ bool HTTPProtocol::readHeader()
   if (!locationStr.isEmpty())
   {
     KURL u(m_request.url, locationStr);
-    if(u.isMalformed() || u.isLocalFile() )
+    if(u.isMalformed())
     {
       error(ERR_MALFORMED_URL, u.url());
+      return false;
+    }
+    if ((u.protocol() != "http") && (u.protocol() != "https") &&
+       (u.protocol() != "ftp")) 
+    {
+      error(ERR_ACCESS_DENIED, u.url());
       return false;
     }
 


[prev in list] [next in list] [prev in thread] [next in thread]