[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: KDE 2.2.1: Ready to roll?
From: Waldo Bastian <bastian () kde ! org>
Date: 2001-09-03 22:07:01
[Download RAW message or body]
On Sunday 02 September 2001 11:18 pm, Waldo Bastian wrote:
> *) Security: Access of "unexpected" protocols like "cdrom:" or "pop3:"
> should be restricted. Any plans to fix this?
The following patch should be a start by disabling redirection from http[s]
to anything else than http[s] or ftp.
Please review.
Cheers,
Waldo
--
KDE 2.2: We deliver.
["http_redirect.diff" (text/x-diff)]
Index: http.cc
===================================================================
RCS file: /home/kde/kdelibs/kio/http/http.cc,v
retrieving revision 1.391
diff -u -3 -d -p -r1.391 http.cc
--- http.cc 2001/08/09 01:18:01 1.391
+++ http.cc 2001/09/03 21:54:48
@@ -1544,9 +1544,15 @@ bool HTTPProtocol::readHeader()
if (!locationStr.isEmpty())
{
KURL u(m_request.url, locationStr);
- if(u.isMalformed() || u.isLocalFile() )
+ if(u.isMalformed())
{
error(ERR_MALFORMED_URL, u.url());
+ return false;
+ }
+ if ((u.protocol() != "http") && (u.protocol() != "https") &&
+ (u.protocol() != "ftp"))
+ {
+ error(ERR_ACCESS_DENIED, u.url());
return false;
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic