Expanded registrations for KOffice mime types

Marc Mutz mutz at kde.org
Thu May 23 23:54:18 BST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 23 May 2002 23:42, Nicolas Goutte wrote:
> I am sorry to be picky again!

You're welcome... ;-)

> "ZIP archives, XML files and supported image files"
>
> Do WMF (Windows Meta Files) count as images too? What is the security
> status of those?
>
> As far as I know, KPresenter is prepared to have sound files. This
> should perhaps be noted too, shouldn't it?
<snip>
> On Thursday 23 May 2002 21:36, Marc Mutz wrote:
> (...)
> >         As of this writing, KWord documents do not contain any
> > active content. As such, it is believed that usage of this mimetype
> > does not introduce security concerns other than those already
> > inherent in ZIP archives, XML files and supported image files.
> (...)

Hmm, of course. There opens a can of worms:
What about e.g. SVG images with embedded JavaScript? How do you want to 
handle those? Allow it? Ignore the JavaScript? Strip it off before 
including it in the KApp document?

More generally: Is there a KOffice policy regarding external content 
that may have embedded active content? (PostScript is known to be able 
to do nasty things like IIRC accessing the local file system when 
interpreted)

Marc

- -- 
Marc Mutz <mutz at kde.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE87XMa3oWD+L2/6DgRAinXAKD3iYIVUGKHFbxZsn3nSH+gSnr3SACg1euK
TDMzdfC4eUjt8Nf/KBPlgnc=
=j6j4
-----END PGP SIGNATURE-----





More information about the kde-core-devel mailing list