[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Re: Bug#14253: kmail html security bug
From:       Don Sanders <sanders () kde ! org>
Date:       2000-11-01 14:32:31
[Download RAW message or body]

Oh, I just checked in a fix for the HEAD branch too. I guess they didn't 
conflict, perhaps Michael's patch is better feel free to revert mine.

I regard the problem as a bug but not a security exploit. Still it's a 
serious bug and the person who discovered it did a good job.

I agree with the comments Daniel and George made about running KMail as root 
being a bad idea.

BFN,
Don.

On Wednesday 01 November 2000 14:33, Daniel Naber wrote:
> On Wednesday 01 November 2000 13:18, Michael Haeckel wrote:
> > I just fixed it in the HEAD branch. If someone confirms, that the
> > attached patch is correct, I commit it also to the KDE_2_0_BRANCH and
> > send a mail to the translators.
>
> The patch works for me. But from a security point of view, it would be
> better to revert the first if(). i.e. don't check when to use the popup,
> but check when not to use it (e.g. text/html). On the other hand, I don't
> think we should not trust findByURL() at all. It's more secure to always
> pop up the dialog (with "open" instead of "execute" if it makes more
> sense).
>
> Regards
>  Daniel

["openbug.diff" (text/x-c)]

Index: kmreaderwin.cpp
===================================================================
RCS file: /home/kde/kdenetwork/kmail/kmreaderwin.cpp,v
retrieving revision 1.209
diff -u -b -r1.209 kmreaderwin.cpp
--- kmreaderwin.cpp	2000/10/19 15:45:29	1.209
+++ kmreaderwin.cpp	2000/11/01 14:21:18
@@ -1282,7 +1282,11 @@
 
     slotAtmOpen();
   }
-  else emit urlClicked(aUrl,/* aButton*/LeftButton); //### FIXME: add button to URLArgs!
+  else {
+      if (aUrl.protocol().isEmpty() || (aUrl.protocol() == "file"))
+	  return;
+      emit urlClicked(aUrl,/* aButton*/LeftButton); //### FIXME: add button to URLArgs!
+  }
 }
 
 

_______________________________________________
Kmail Developers mailing list
Kmail@master.kde.org
http://master.kde.org/mailman/listinfo/kmail


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic