[Kde-pim] [patch] file:// link in mailreader
Tom Albers
tomalbers at kde.nl
Sat Apr 12 14:18:35 BST 2008
Op Tuesday 01 April 2008 22:57 schreef u:
> On Saturday 22 March 2008 15:23:56 Till Adam wrote:
> > On Saturday 22 March 2008 13:59:53 Ingo Klöcker wrote:
> > > On Saturday 22 March 2008, Martin Koller wrote:
> > > > Hi,
> > > >
> > > > I often get mails from colleagues which include links to file url,
> > > > but the mails are sent in plain text, e.g.
> > > > file://ourServer/some/path/file
> > > >
> > > > I found that kmail does not render them as klickable links in
> > > > linklocator.cpp as the comment says:
> > > > // note: no "file:" for security reasons
> > > >
> > > > Can someone tell me what kind of security reasons there are to not
> > > > have it clickable ?
> > >
> > > Links are simply executed with KRun. What if there was an application
> > > which did something bad as soon as it is executed?
> > >
> > > OTOH, we show a warning before executing a link (no matter what kind of
> > > link) if the file is an executable. So it doesn't make much sense to
> > > handle file: URLs more strict than http: or ftp: URLs.
> > >
> > > > For me it is very inconveniant to not be able to just click on them
> > > > to open the file on our server.
> > > >
> > > > Anybody objections against activating this (patch against 3.5
> > > > attached) ?
> > >
> > > I object against applying this patch to KDE 3.5 unless the KDABians want
> > > to apply it to the enterprise branch.
> >
> > We'll discuss it, I'd like to think through the impliciations a bit.
>
> We think that it's ok to go in in principle, but Marc points to this recent
> URL vulnerability on Windows, which should be checked for potentially similar
> issues in this context:
>
> http://blog.mozilla.com/security/2007/07/10/security-issue-in-url-protocol-
> handling-on-windows/
>
> Not sure this applies here.
If all affected clients make sure that they don't execute the clicked url, see the parameter of KRun, then I don't see a way to make this happen.
Best,
Toma
-------------- next part --------------
_______________________________________________
KDE PIM mailing list kde-pim at kde.org
https://mail.kde.org/mailman/listinfo/kde-pim
KDE PIM home page at http://pim.kde.org/
More information about the kde-pim
mailing list