Feedback wanted regarding prettyURL()
Thiago Macieira
thiago at kde.org
Thu Aug 16 22:56:19 BST 2007
Dirk Mueller wrote:
>Hi,
>
>To avoid the latest announced url spoofing attacks in a general way, I
>suggested to shorten the username, to avoid that the user misinterprets
> the username actually as part of the hostname.
>
>this however breaks the url pretty badly: the username is not really
> valid anymore. on the other hand, its unlikely that there will be a
> very long username given, especially if no password has been added.
>
>Comments, opinions?
Let me understand the objective:
we want the UI to show a shortened username so that a spoofer doesn't
write, for instance:
http://www.kde.org%2Fdownload%2Flatest.php@spoofer-website.com
which displays in Konqueror:
http://www.kde.org/download/latest.php@spoofer-website.com
First things first, I'd recommend leaving those %HH quoted. I'll check
that QUrl in Qt4 does have that behaviour.
Second, would be users fooled by the %2F there? Or %40?
If so, then I agree with the patch. Pressing Enter on the Konqueror
Location bar doesn't necessarily go to the same website as it is
displaying.
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20070816/aaba3fe6/attachment.sig>
More information about the kde-core-devel
mailing list