Expanded registrations for KOffice mime types

Thomas Zander zander at planescape.com
Fri May 24 17:36:46 BST 2002


On Fri, May 24, 2002 at 12:54:18AM +0200, Marc Mutz wrote:
> On Thursday 23 May 2002 23:42, Nicolas Goutte wrote:
> > "ZIP archives, XML files and supported image files"
> >
> > Do WMF (Windows Meta Files) count as images too? What is the security
> > status of those?
> >
> > As far as I know, KPresenter is prepared to have sound files. This
> > should perhaps be noted too, shouldn't it?
...
 
> Hmm, of course. There opens a can of worms:
> What about e.g. SVG images with embedded JavaScript? How do you want to 
> handle those? Allow it? Ignore the JavaScript? Strip it off before 
> including it in the KApp document?
> 
> More generally: Is there a KOffice policy regarding external content 
> that may have embedded active content? (PostScript is known to be able 
> to do nasty things like IIRC accessing the local file system when 
> interpreted)
> 
> Marc

svg/eps/wml etc are all embedded in the document (but that is optional to 
begin with).  The document that uses the mime-type is a zip; so basically
you can include any executable/shell script virus in there as you want.
The statement that it does not introduce extra security concerns it therefor
complete.

For the people that are afraid that I am sidestepping the problem with that;
on the question of using any scripts or other possible virii like code in the
archive we keep and always will have the statement that we believe in seperation
of document-data and executable-data. We will never allow something to be 
executed when it (or its container) is marked as document data.

Cheers!
-- 
Thomas Zander                                           zander at planescape.com
                                                 We are what we pretend to be
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20020524/2f9a1817/attachment.sig>


More information about the kde-core-devel mailing list