Possible security problem (was: Re: mail tries to execute binary (not really))

Ingo Klöcker kloecker at kde.org
Fri Jun 28 20:34:20 BST 2002

Hash: SHA1

[For the people on kde-core-devel: Please read the complete bug history 
at http://bugs.kde.org/db/44/44468.html.]

On Friday 28 June 2002 19:40, Daniel Naber wrote:
> I do indeed get an "unable to run the specified" command error with
> the attached mail (KMail from 3_0_BRANCH). However, if I add a path
> to a binary that actually exists I don't get an error but the program
> isn't executed either. Also I could not reproduce this with the
> <iframe> code alone in a fresh mail.

This problem occurs because the header of the text/html attachment is 
broken. Because of the blank line between the Content-Type header and 
the Content-Transfer-Encoding header KMail interprets the CTE header as 
part of the message. Therefore it doesn't decode the quoted-printable 
encoded HTML source and therefore KHTML sees this:
	<iframe src=3Dcid:meco height=3D0 width=3D0>
As '3Dcid:' isn't a known protocol KHTML (resp. some kioslave ?) seems 
to interpret 3Dcid:meco as local file name. Is this correct behaviour?

The error message which is then displayed:
	"Unable to run the command specified.
	The file or directory file:/3Dcid:meco does not exist."
is missleading. When KDE "runs" a URL it actually runs a program which 
is appropriate to view the document behind the URL. This error message 
should be reworded.

Furthermore it should be made possible to not only restrict loading of 
remote references but also loading of local references. Some local 
references need to be loaded by the KHTML part which is run by KMail, 
e.g. to show attached images. Therefore a possible solution would be to 
transmit a list of allowed references (i.e. the local URLs of the 
images) to the KHTML part.


Version: GnuPG v1.0.7 (GNU/Linux)


More information about the kde-core-devel mailing list