(*** This bug was imported into bugs.kde.org ***) Package: kmail Version: 1.2 (using KDE 2.1.1 ) Severity: wishlist Installed from: Red Hat Linux 6.9.2 Compiler: gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-78) OS: Linux 2.4.2-0.1.36smp i686 OS/Compiler notes: When using an http: or ftp: reference in a mail it is recognised as a URL is highlighted and is clickable. However not so with file: Maybe this also the case with some other URL references. Should be implemented in next version. (Submitted via bugs.kde.org) (Called from KBugReport dialog)
On Sunday 22. April 2001 02:11 remko@deos.tudelft.nl wrote: > > When using an http: or ftp: reference in a mail it is recognised as a URL > is highlighted and is clickable. However not so with file: We intentionally disabled file: some time ago for security reasons and because we didn't consider local links in a mail useful. Otherwise it might be too easy possible to execute a possibly dangerous local command with a single click. Maybe in text mails that does not happen that easy since the users sees the real URL but at least in HTML mail that is more dangerous since the displayed string and the URL can differ very much. Regards Michael Häckel
This function should be an option which is disabled by default. There should be a warning in the config window. It would certainly not harm people who know what they are doing ;-) Richard.
I have an application for this feature, namely, importing mail folders from an email client that strips out attachments and stores them separately from the rest of the message. The simplest solution was to arrange for a URI in the converted message to point to the attachment file. This works in Pine. I don't see how a local file URI is more or less dangerous than a remote URI. KMail launches a viewer to view a URI. It's not as though it executes a command specified by the URI. A remote URI could potentially instruct a local program to upload sensitive information. The only defenses against this is to disable viewing of remote URI's, or to make sure the viewers aren't stupid. The present behavior of KMail relies on the latter defense. That defense is just as effective against local file URI's as any other URI.
for those who are wondering, this bug is still alive. See bug #60265. For me this is no security at all, and should be enabled. I've the same need as comment #3 for http://cardot.net/kmailpt that strips attachments from emails and still keeps a link to those. By the way, the file:// link in html emails is working, so if I read what says comment #1, there is no reason anymore why it does not in text/plain emails...