[prev in list] [next in list] [prev in thread] [next in thread]
List: kmail-devel
Subject: Re: Bug#44468: Possible security problem (was: Re: mail tries to execute binary (not really))
From: Ingo =?iso-8859-1?q?Kl=F6cker?= <kloecker () kde ! org>
Date: 2002-06-29 21:27:56
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 29 June 2002 01:23, Dirk Mueller wrote:
> On Fre, 28 Jun 2002, Waldo Bastian wrote:
> > > local references. Obviously khtml tried and still tries (with
> > > KDE_3_0_BRANCH) to load file:/3Dcid:meco. It should be made
> > > possible to disable loading of all but a few allowed local
> > > references.
> >
> > That's pretty bad I would say and should be fixed for KDE 3.0.2
> > IMO.
>
> Did I miss something ? Where is the "security problem" hiding ?
If khtml is allowed to load arbitrary local files then it would be very
easy to create a message which causes a DOS if it's selected. The
message could for example contain thousands of iframes which open some
common large local files. OTOH, the iframes problem has already been
fixed IIRC. This is supported by the fact that for a HTML message with
the following body:
<html><head></head><body>
<iframe width="200" height="300" src="/etc/passwd"></iframe>
</body></html>
/etc/passwd is _not_ loaded (which is good!). But then I wonder why
khtml tries to load 3Dcid:meco which is also embedded into the message
via an iframe.
Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9HiZcGnR+RTDgudgRAlgRAJ9kTzBsDyj0I7mjvF2VWin8pftnAACg0BuZ
AAyOQdxEfeYWFqN6C56Y3eA=
=TKPd
-----END PGP SIGNATURE-----
_______________________________________________
KMail Developers mailing list
kmail@mail.kde.org
http://mail.kde.org/mailman/listinfo/kmail
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic