D7539: Dolphin - Add autoplay feature for media files
Elvis Angelaccio
noreply at phabricator.kde.org
Fri Aug 25 22:14:10 BST 2017
elvisangelaccio added a comment.
In https://phabricator.kde.org/D7539#140094, @graesslin wrote:
> I need to point out that from a security perspective this is a very dangerous change. With autoplay enabled a drive-by-download with a corrupted media file will be autoplayed when the user enters the Download order in dolphin. Chromium downloads files automatically without asking the user and stores them in ~/Downloads. This was an issue which recently hit tracker (baloo is affected in similar ways, just inside KDE nobody cared so far).
>
> Given that I would suggest to move the media playback into a sandbox (e.g. a seccomp enabled helper process which is not allowed to write to files and fork, etc.) and only enable autoplay if there is no risk that this can be used to take over the system by just navigating to a malicious website.
Good point, but a sandbox is probably out of scope for Dolphin. It could be implemented in Phonon (which is what Dolphin uses to play media files), so all Phonon users would benefit from it.
REPOSITORY
R318 Dolphin
REVISION DETAIL
https://phabricator.kde.org/D7539
To: pekkah, #dolphin, #kde_applications
Cc: graesslin, anthonyfieroni, elvisangelaccio, #dolphin, pekkah, navarromorales, firef, andrebarros, alexeymin, genaxxx, emmanuelp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20170825/f4db12d5/attachment.htm>
More information about the kfm-devel
mailing list