[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Re: KMail and WINE integration - virus
From:       Luis Pedro Coelho <luis_pedro () netcabo ! pt>
Date:       2002-10-25 16:35:15
[Download RAW message or body]

Em Quinta, 24 de Outubro de 2002 18:17, Daniel Naber escreveu:
> On Thursday 24 October 2002 17:57, Luis Pedro Coelho wrote:
> > I think kmail should not warn on every attachment open.
>
> We show a security warning if there's a possible security problem. Opening
> an attachment *is* always a potential security problem. There have been so
> many buffer overflows in so many different programs which can be triggered
> by carefully built input that it's just not correct to say "opening a ZIP
> file is safe".

Well, then there is not much you can do, is it? I mean, do you trust Qt's 
handling of JPEGs? If you do, then you must also trust kuickshow to show 
JPEGs. If you don't, then you should not automatically show JPEGs inline. And 
yes, I often click on JPEGs to see them with kuickshow because I can zoom 
in/out, etc.

My proposal included that each app could signal that it was ready to open 
untrusted files. If an app does this, then its authors should realise that it 
is a target of a possible security attack. You must give some credit to them 
or at least let me trust it. 

Or maybe we can have a middle ground: For applications which have an 
"Untrusted-Exec," then there is a do-not-show-me-again message box.

> Anyway, if the attachment is not known, the button says "Open with.." and
> you have to explicitly select an application. If the application is known,
> we show what application will be used to open the file. If someone clicks
> "Open" when we ask "Open destroy.pl with 'perl'?" - what should we do
> about that? And even for that case he would have to change his settings
> for perl files (otherwise it's displayed in an editor). And there's also a
> different attachment icon for images than for other files.

I say that kmail should err on the paranoia side. Anything you don't know 
about is highly doubtful.

However, known mime-types should be different. Especially, if as I proposed, 
apps contained an option to open untrusted files.

Regards,
-- 
Luis Pedro Coelho

"Technology does not always equal progress."
Douglas Coupland
_______________________________________________
KMail Developers mailing list
kmail@mail.kde.org
http://mail.kde.org/mailman/listinfo/kmail
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic