[PATCH] reduce false positives of mailto: link detection

Thiago Macieira thiago at kde.org
Fri Mar 25 15:12:40 GMT 2005

Ingo Klöcker wrote:
>> > The patch looks good but is '_' really allowed in actual domain
>> > names?

>But I guess they never occur as domain part of an email address, right?


$ echo domain_something.com | idn -a --usestd3asciirules --quiet
idn: idna_to_ascii_4z: Non-digit/letter/hyphen in input

Note that we do not enforce STD3 ASCII Rules in our code.

>Depending on the font mail at kde.org and mail at kdе.org look the same. OTOH,
>(almost) the same problem exists with mail at spiegel.de and
>mail at spiegeI.de.

The source code reveals a Cyrillic e in the second email, but other than 
that, I would never have guessed. The e's look exactly the same to me.

As for spiegel.de, I can't see any difference even in the email source 

> Email addresses with IDNs
>don't work correctly though while URLs with IDNs work.

That's a bug.

>How should we proceed?
>a) Don't highlight any email addresses/URLs with non-ASCII chars in the
>domain name?
>b) Only highlight email addresses/URLs with IDNs for a whitelist of TLDs
>(as in Konqueror)?
>c) Highlight all email addresses/URLs, but show the ACE-encoded domain
>in the status bar (and probably also in a tooltip) for the bad TLDs?

Don't bother too much with URLs launched in Konqueror. It's its job to 
warn the user about its effects.

However, given the wide range of programs launchable from URLs in KMail, 
it might be considered a security risk to not warn. I am not sure what to 
do here. If we do show a warning when you click https://secure.kdе.org 
and then Konqueror shows it again when it loads, we will be annoying the 

As for email addresses, when you click them, it's kmail that gets launched 
(composer window). In that case, it's KMail's job to warn about insecure 

Right now, the rules deep down in the resolver won't let you even consider 
the insecure domains because we will refuse to encode. So there's no way 
you can send an email to an insecure domain, short of writing the ACE 
form by hand. I don't consider there to be a security risk _right_ _now_.

When we bring back some of the functionality, KMail & Konqueror and other 
programs that handle URLs will have to be modified to properly show the 

>Since this affects all apps which automatically highlight email
>addresses/URLs I cc'ed kde-core-devel.

I don't see a problem in highlighting, as long as you can never send the 
email to the phishing address, or you're properly warned. Hence what I 
said about it being the launched program's job to warn, not the one 

  Thiago Macieira  -  thiago (AT) macieira (DOT) info
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

5. Swa he géanhwearf tó timbran, and hwonne he cóm, lá! Unix cwæð "Hello, 
World". Ǽfre ǽghwilc wæs glæd and seo woruld wæs fréo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20050325/ccab5974/attachment.sig>
-------------- next part --------------
KMail developers mailing list
KMail-devel at kde.org

More information about the kde-core-devel mailing list