[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: KDE 2.2.1: Ready to roll?
From: Waldo Bastian <bastian () kde ! org>
Date: 2001-09-03 19:04:40
[Download RAW message or body]
On Monday 03 September 2001 01:04 am, Martin Konold wrote:
> On Sun, 2 Sep 2001, Waldo Bastian wrote:
> > *) Security: Access of "unexpected" protocols like "cdrom:" or "pop3:"
> > should be restricted. Any plans to fix this?
>
> Please tell me a szenario where this can really hurt or where it differs
> from a simple file:// or telnet://
telnet is handled by another program, just like mailto:, so that's not much
of an issue. The problems are pretty much the same as for "file:/", the
difference is that we have checks in place for "file" but not necasserly for
other protocols.
> I have sofar not seen how it really poses a new thread to the users.
It most likely doesn't pose a real threath, the problem is that we have no
idea whether it does or not because we don't have anything that comes close
to a security model. E.g. if javascripts checks that it only downloads stuff
from a certain host with HTTP/HTTPS, then that can probably be redirected
with a HTTP redirect to any other host/protocol, which may or may not include
file:/, effectively circumventing any safe-guard that javascript had put in
place.
Cheers,
Waldo
--
KDE 2.2: We deliver.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic