D7539: Dolphin - Add autoplay feature for media files
Martin Flöser
noreply at phabricator.kde.org
Fri Aug 25 20:28:29 BST 2017
graesslin added a comment.
I need to point out that from a security perspective this is a very dangerous change. With autoplay enabled a drive-by-download with a corrupted media file will be autoplayed when the user enters the Download order in dolphin. Chromium downloads files automatically without asking the user and stores them in ~/Downloads. This was an issue which recently hit tracker (baloo is affected in similar ways, just inside KDE nobody cared so far).
Given that I would suggest to move the media playback into a sandbox (e.g. a seccomp enabled helper process which is not allowed to write to files and fork, etc.) and only enable autoplay if there is no risk that this can be used to take over the system by just navigating to a malicious website.
REPOSITORY
R318 Dolphin
REVISION DETAIL
https://phabricator.kde.org/D7539
To: pekkah, #dolphin, #kde_applications
Cc: graesslin, anthonyfieroni, elvisangelaccio, #dolphin, pekkah, navarromorales, firef, andrebarros, alexeymin, genaxxx, emmanuelp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20170825/ecadc613/attachment.htm>
More information about the kfm-devel
mailing list