[Kde-pim] [patch] file:// link in mailreader
Till Adam
till at kdab.net
Tue Apr 1 21:57:47 BST 2008
On Saturday 22 March 2008 15:23:56 Till Adam wrote:
> On Saturday 22 March 2008 13:59:53 Ingo Klöcker wrote:
> > On Saturday 22 March 2008, Martin Koller wrote:
> > > Hi,
> > >
> > > I often get mails from colleagues which include links to file url,
> > > but the mails are sent in plain text, e.g.
> > > file://ourServer/some/path/file
> > >
> > > I found that kmail does not render them as klickable links in
> > > linklocator.cpp as the comment says:
> > > // note: no "file:" for security reasons
> > >
> > > Can someone tell me what kind of security reasons there are to not
> > > have it clickable ?
> >
> > Links are simply executed with KRun. What if there was an application
> > which did something bad as soon as it is executed?
> >
> > OTOH, we show a warning before executing a link (no matter what kind of
> > link) if the file is an executable. So it doesn't make much sense to
> > handle file: URLs more strict than http: or ftp: URLs.
> >
> > > For me it is very inconveniant to not be able to just click on them
> > > to open the file on our server.
> > >
> > > Anybody objections against activating this (patch against 3.5
> > > attached) ?
> >
> > I object against applying this patch to KDE 3.5 unless the KDABians want
> > to apply it to the enterprise branch.
>
> We'll discuss it, I'd like to think through the impliciations a bit.
We think that it's ok to go in in principle, but Marc points to this recent
URL vulnerability on Windows, which should be checked for potentially similar
issues in this context:
http://blog.mozilla.com/security/2007/07/10/security-issue-in-url-protocol-
handling-on-windows/
Not sure this applies here.
till
--
Till Adam
KDAB - platform independent software services
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20080401/91dc745c/attachment.sig>
-------------- next part --------------
_______________________________________________
KDE PIM mailing list kde-pim at kde.org
https://mail.kde.org/mailman/listinfo/kde-pim
KDE PIM home page at http://pim.kde.org/
More information about the kde-pim
mailing list