Review Request: Make the http kioslave use credentials provided in the url
lemma at confuego.org
Thu Jul 9 00:39:10 BST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Richard Moore wrote:
> I would say we should reject this patch. Including the credentials in
> this way is flawed as it allows intermediate proxies to record the
> credentials introducing a security hole. We should not allow this. The
It's not meant to transmit the credentials in the URL. That's just meant as
a way of passing them to the kioslave which will extract the information and
use the negotiated authentication method.
> specified use case of RPC over HTTP can already be accomplished in
> numerous other ways (including directly using Basic or other
> authentication through KIO or via XMLHttpRequest).
I haven't found a way to get authentication information into the kio_http
other than through direct user input (using kpasswdserver). RPC over HTTP
was only meant to serve as an example for any library/application that needs
to directly set credentials (eg. in a config dialog) and doesn't want to
have the user enter them using kpasswdserver.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the kde-core-devel