Bug 181542

Summary: A link to remote .sh in a mail message leads to a script execution
Product: [Applications] kmail Reporter: Michael <gfdsa>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: jtamate
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:

Description Michael 2009-01-21 23:41:46 UTC 
Version:           KMail Version 1.10.92 Using KDE 4.1.87 (KDE 4.1.87 (KDE 4.2 >= 20090101)) "release 3.1" (using Devel)
OS:                Linux
Installed from:    Compiled sources

That is terribly wrong. Just wrong. Programs sent by email should never be executed. My 50 years old aunt will click on it and will click on "Yes" to execute the script without even reading the message.

1. Get an email with (http|ftp)://server/script.sh
2. Click on the link ( expect save and download here)
3. Get the message: Do you really want to execute (http|ftp)://server/script.sh?
4. Bite the dust with your NOPASSWD suduers file or IRC bot installed on unprivileged port.

I am not sure if it is really kmail fault that most probably just passes the link to kdelibs. But isn't it obvious that kmail has to block such things?

I am not paranoid, but I don't want to get outlook express back again after 8 years w/o it. So ho pe and you.
Comment 1 Jaime Torres 2009-02-01 12:42:19 UTC 
I totally agree.
Even when I've tried such file it opened me kwrite without asking me what to do with the file (may be because of the mime-type).

Kmail should not provide a way to execute linked or attached content.
Comment 2 Thomas McGuire 2009-03-19 00:52:05 UTC 
Fixed with r927077.