Bug 96297

Summary: Konqueror Download Dialog Source Spoofing
Product: [Applications] konqueror Reporter: Waldo Bastian <bastian>
Component: generalAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED WAITINGFORINFO    
Severity: normal CC: finex, security
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Compiled Sources   
OS: Linux   
Latest Commit: Version Fixed In:
Attachments: testcase

Description Waldo Bastian 2005-01-04 15:59:39 UTC 
Version:            (using KDE Devel)
Installed from:    Compiled sources

Jakob Balle of Secunia reported that the source URL in the Konqueror open-with dialog can be created in such a way that the user can be tricked into believing that the URL refers to a trusted site. Although recent Konqueror versions include the hostname in the dialog caption, the download dialog has room for improvement:

*) The originating host could be listed explicitly and untruncated in the dialog
*) There is currently no way to examine the complete URL. (e.g. via a tooltip)

Testcase follows

This issue is identical to Secunia adviory SA13599, which was released for Mozilla / Mozilla Firefox: http://secunia.com/advisories/13599/
Comment 1 Waldo Bastian 2005-01-04 16:00:13 UTC 
Created attachment 8913 [details]
testcase
Comment 2 Vincent Panel 2005-05-24 16:14:01 UTC 
Cosmetic bug and not really a security issue IMO.

1) You still see the full URL in the address bar
2) Konqueror developers could have chosen not to display any URL, like in some other browsers, but they show a truncated one which is better.
Comment 3 FiNeX 2009-10-03 14:55:07 UTC 
Is this bug still valid on KDE 4?