(*** This bug was imported into bugs.kde.org ***) Package: konqueror Version: KDE 3.0.2 Severity: wishlist Installed from: Gentoo Packages Compiler: gcc 3.1.1 OS: Linux OS/Compiler notes: Not Specified Hi When i have a script named something.jpg konqueror shows the picture-symbol but when i click on it it starts the script. Maybe it is a good idea to check before executing a script/binary if the extension was correct shown and if it was false shown not execute the script/binary. The reason of this: If someone gets an archive for example a tar.gz and extracts the files then he could think that something.jpg (the file was in the archive) is a picture because konqueror uses the picture symbol but in reality it is a malicious script which would be executed with a click on the picture symbol. Maybe you could check "here is a binary or script for execution -> is the file extension one of the registered ones? -> yes -> is it the registered one for script or binary -> no -> don't execute it" Thank You for thinking about it. :) Sincerly Jan van Dijk (Submitted via bugs.kde.org)
Hi The problem occurs only when it is a link i have not noticed this when i wrote the report. Example: #!/bin/sh xmms write it to a file: script make it executable set a link to script with the name: script.jpg klick on script.jpg which is shown with the image symbol xmms fires up Sincerly Jan van Dijk
I have played around with that old bug. The original behaviour does luckily not work anylonger in Konqueror 3.5.5 and in any case it never shows a misleading icon (as well in text view instead of icon mode it does not name one file type and acts according to something other) but the bug is still not solved entirely: When using the above example with various file extensions (like png, txt, odt, jgp) everything is fine as the relevant embedded/external application tries to open but never executing the linked file (and naturally fails with either an error message or a blank page). But now the evil thing: Create a link with a file extension not existing in the MIME database (and there are many common file extensions not in MIME). Now it executes the script. But now two even more evil examples: Create a link with the file extensions .ogg or (most evil) .doc. Both will be executed although the file extensions exist in the MIME database. Luckily Konqueror tells in both cases the file type "shell script" in all view modes for the links. My assumption is that the file type gets determined in these cases by looking into the files as well and as it doesn't find relevant patterns does not recognize them as ogg or doc (which is technically perfectly right). The problem however is a confused user that just sees the "ogg" or "doc" pattern and just clicks on it without thinking (and as email viruses using such tricks are quite widespread on Windows we know that this is common). I thus have changed the priority and severity of that bug because of my above explanation from normal -> high and whish -> major. So my proposed solution for Konqueror is as follows: Only treat links targeting to files with x-bit set as executable if the file hasn't a file extension (like most shell script links) or if the extension of the link matches a whitelist of file extensions for executable files (can be easily retrieved via the current MIME database). Maybe it would also be useful not to assume an arbitrary file type for links according to their names in any case but giving a nice error message in Konqueror when trying to execute such links. That way people don't wonder why they see a blank page on opening the "image" and directly get pointed at the problem.
have you tried to upgrade to kde 4.2 or later?
All reports about file management mode reported against KDE 3 (konqueror) has been closed: konqueror in KDE 3 is no more developed and mantained. All bugs and wishes which could be interesting for Dolphin in KDE 4 (the new KDE file manager) has been collected into a specific list. Please try the new file manager before request new features and report bugs. Before submitting new reports check carefully the already opened KDE/Dolphin reports in order to don't add duplicates. Many thanks.