[kmail2] [Bug 431218] mail viewer loads external fonts even with external refs disabled
Timo Weingärtner
bugzilla_noreply at kde.org
Wed Feb 3 10:28:48 GMT 2021
https://bugs.kde.org/show_bug.cgi?id=431218
--- Comment #3 from Timo Weingärtner <timo at tiwe.de> ---
I sent you a test case in private mail.
When reading your patch and the surrounding code it looks like only some
(images, now also fonts) request types are blacklisted. What about external
style sheets or other types that might grow in HTML-land? Are there any
external requests you think should be allowed?
Regarding URL schemes: why is file:// allowed? I could think of some social
engineering attacks that might work by including files from the victims
computer. I would read "external request" as external to the e-mail in
question.
To me the function could be as simple as:
----8<----8<----
bool
LoadExternalReferencesUrlInterceptor::interceptRequest(QWebEngineUrlRequestInfo
&info)
{
if (mAllowLoadExternalReference) {
return false;
}
const QString scheme = info.requestUrl().scheme();
if (scheme == QLatin1String("data")
|| scheme == QLatin1String("cid")) {
return false;
}
return true;
}
----8<----8<----
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list