Possible security problem (was: Re: mail tries to execute binary (not really))
kloecker at kde.org
Fri Jun 28 20:34:20 BST 2002
-----BEGIN PGP SIGNED MESSAGE-----
[For the people on kde-core-devel: Please read the complete bug history
On Friday 28 June 2002 19:40, Daniel Naber wrote:
> I do indeed get an "unable to run the specified" command error with
> the attached mail (KMail from 3_0_BRANCH). However, if I add a path
> to a binary that actually exists I don't get an error but the program
> isn't executed either. Also I could not reproduce this with the
> <iframe> code alone in a fresh mail.
This problem occurs because the header of the text/html attachment is
broken. Because of the blank line between the Content-Type header and
the Content-Transfer-Encoding header KMail interprets the CTE header as
part of the message. Therefore it doesn't decode the quoted-printable
encoded HTML source and therefore KHTML sees this:
<iframe src=3Dcid:meco height=3D0 width=3D0>
As '3Dcid:' isn't a known protocol KHTML (resp. some kioslave ?) seems
to interpret 3Dcid:meco as local file name. Is this correct behaviour?
The error message which is then displayed:
"Unable to run the command specified.
The file or directory file:/3Dcid:meco does not exist."
is missleading. When KDE "runs" a URL it actually runs a program which
is appropriate to view the document behind the URL. This error message
should be reworded.
Furthermore it should be made possible to not only restrict loading of
remote references but also loading of local references. Some local
references need to be loaded by the KHTML part which is run by KMail,
e.g. to show attached images. Therefore a possible solution would be to
transmit a list of allowed references (i.e. the local URLs of the
images) to the KHTML part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the kde-core-devel