[PATCH] reduce false positives of mailto: link detection
Thiago Macieira
thiago at kde.org
Fri Mar 25 15:12:40 GMT 2005
Ingo Klöcker wrote:
>> > The patch looks good but is '_' really allowed in actual domain
>> > names?
>But I guess they never occur as domain part of an email address, right?
Right:
$ echo domain_something.com | idn -a --usestd3asciirules --quiet
idn: idna_to_ascii_4z: Non-digit/letter/hyphen in input
Note that we do not enforce STD3 ASCII Rules in our code.
>Depending on the font mail at kde.org and mail at kdе.org look the same. OTOH,
>(almost) the same problem exists with mail at spiegel.de and
>mail at spiegeI.de.
The source code reveals a Cyrillic e in the second email, but other than
that, I would never have guessed. The e's look exactly the same to me.
As for spiegel.de, I can't see any difference even in the email source
code.
> Email addresses with IDNs
>don't work correctly though while URLs with IDNs work.
That's a bug.
>How should we proceed?
>a) Don't highlight any email addresses/URLs with non-ASCII chars in the
>domain name?
>b) Only highlight email addresses/URLs with IDNs for a whitelist of TLDs
>(as in Konqueror)?
>c) Highlight all email addresses/URLs, but show the ACE-encoded domain
>in the status bar (and probably also in a tooltip) for the bad TLDs?
Don't bother too much with URLs launched in Konqueror. It's its job to
warn the user about its effects.
However, given the wide range of programs launchable from URLs in KMail,
it might be considered a security risk to not warn. I am not sure what to
do here. If we do show a warning when you click https://secure.kdе.org
and then Konqueror shows it again when it loads, we will be annoying the
user.
As for email addresses, when you click them, it's kmail that gets launched
(composer window). In that case, it's KMail's job to warn about insecure
domains.
Right now, the rules deep down in the resolver won't let you even consider
the insecure domains because we will refuse to encode. So there's no way
you can send an email to an insecure domain, short of writing the ACE
form by hand. I don't consider there to be a security risk _right_ _now_.
When we bring back some of the functionality, KMail & Konqueror and other
programs that handle URLs will have to be modified to properly show the
warnings.
>Since this affects all apps which automatically highlight email
>addresses/URLs I cc'ed kde-core-devel.
I don't see a problem in highlighting, as long as you can never send the
email to the phishing address, or you're properly warned. Hence what I
said about it being the launched program's job to warn, not the one
launching.
--
Thiago Macieira - thiago (AT) macieira (DOT) info
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
5. Swa he géanhwearf tó timbran, and hwonne he cóm, lá! Unix cwæð "Hello,
World". Ǽfre ǽghwilc wæs glæd and seo woruld wæs fréo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20050325/ccab5974/attachment.sig>
-------------- next part --------------
_______________________________________________
KMail developers mailing list
KMail-devel at kde.org
https://mail.kde.org/mailman/listinfo/kmail-devel
More information about the kde-core-devel
mailing list