Bug 24528 - kmail URL reference "file:" not "recognised"
Summary: kmail URL reference "file:" not "recognised"
Status: CLOSED FIXED
Alias: None
Product: kmail
Classification: Applications
Component: general (show other bugs)
Version: 1.2
Platform: RedHat Enterprise Linux Linux
: NOR wishlist
Target Milestone: ---
Assignee: kdepim bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2001-04-22 00:18 UTC by Remko Scharroo
Modified: 2007-09-14 12:17 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Remko Scharroo 2001-04-22 00:11:12 UTC 
(*** This bug was imported into bugs.kde.org ***)

Package:           kmail
Version:           1.2 (using KDE 2.1.1 )
Severity:          wishlist
Installed from:    Red Hat Linux 6.9.2
Compiler:          gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-78)
OS:                Linux 2.4.2-0.1.36smp i686
OS/Compiler notes: 

When using an http: or ftp: reference in a mail it is recognised as a URL is highlighted and is clickable. However not so with file:

Maybe this also the case with some other URL references.

Should be implemented in next version. 

(Submitted via bugs.kde.org)
(Called from KBugReport dialog)
Comment 1 Michael Haeckel 2001-04-22 07:48:00 UTC 
On Sunday 22. April 2001 02:11 remko@deos.tudelft.nl wrote:
>
> When using an http: or ftp: reference in a mail it is recognised as a URL
> is highlighted and is clickable. However not so with file:

We intentionally disabled file: some time ago for security reasons and 
because we didn't consider local links in a mail useful.
Otherwise it might be too easy possible to execute a possibly dangerous local 
command with a single click. Maybe in text mails that does not happen that 
easy since the users sees the real URL but at least in HTML mail that is 
more dangerous since the displayed string and the URL can differ very much.

Regards
Michael Häckel
Comment 2 kde 2002-11-02 12:23:55 UTC 
This function should be an option which is disabled by default. There should 
be a warning in the config window. It would certainly not harm people who know 
what they are doing ;-) 
 
Richard.
Comment 3 Stevan White 2002-12-06 23:48:21 UTC 
I have an application for this feature,  namely, importing mail folders
from an email client that strips out attachments and stores them separately
from the rest of the message.

The simplest solution was to arrange for a URI in the converted message to
point to the attachment file.  This works in Pine.

I don't see how a local file URI is more or less dangerous than a remote URI. 
KMail launches a viewer to view a URI.  It's not as though it executes a command
specified by the URI.

A remote URI could potentially instruct a local program to upload sensitive
information.  The only defenses against this is to disable viewing of remote 
URI's, or to make sure the viewers aren't stupid.  The present behavior of KMail
relies on the latter defense.  That defense is just as effective against local
file URI's as any other URI.
Comment 4 JC Cardot 2007-05-28 19:37:33 UTC 
for those who are wondering, this bug is still alive. See bug #60265.
For me this is no security at all, and should be enabled. I've the same need as comment #3 for http://cardot.net/kmailpt that strips attachments from emails and still keeps a link to those. By the way, the file:// link in html emails is working, so if I read what says comment #1, there is no reason anymore why it does not in text/plain emails...