[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: KDE 2.2.1: Ready to roll?
From:       Waldo Bastian <bastian () kde ! org>
Date:       2001-09-03 19:04:40
[Download RAW message or body]

On Monday 03 September 2001 01:04 am, Martin Konold wrote:
> On Sun, 2 Sep 2001, Waldo Bastian wrote:
> > *) Security: Access of "unexpected" protocols like "cdrom:" or "pop3:"
> > should be restricted. Any plans to fix this?
>
> Please tell me a szenario where this can really hurt or where it differs
> from a simple file:// or telnet://

telnet is handled by another program, just like mailto:, so that's not much 
of an issue. The problems are pretty much the same as for "file:/", the 
difference is that we have checks in place for "file" but not necasserly for 
other protocols.

> I have sofar not seen how it really poses a new thread to the users.

It most likely doesn't pose a real threath, the problem is that we have no 
idea whether it does or not because we don't have anything that comes close 
to a security model. E.g. if javascripts checks that it only downloads stuff 
from a certain host with HTTP/HTTPS, then that can probably be redirected 
with a HTTP redirect to any other host/protocol, which may or may not include 
file:/, effectively circumventing any safe-guard that javascript had put in 
place.

Cheers,
Waldo
-- 
KDE 2.2: We deliver.

[prev in list] [next in list] [prev in thread] [next in thread]