Bug 96297 - Konqueror Download Dialog Source Spoofing
Summary: Konqueror Download Dialog Source Spoofing
Status: RESOLVED WAITINGFORINFO
Alias: None
Product: konqueror
Classification: Applications
Component: general (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR normal
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-04 15:59 UTC by Waldo Bastian
Modified: 2012-01-07 05:22 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
testcase (302 bytes, text/html)
2005-01-04 16:00 UTC, Waldo Bastian 		Details
View All Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Waldo Bastian 2005-01-04 15:59:39 UTC 
Version:            (using KDE Devel)
Installed from:    Compiled sources

Jakob Balle of Secunia reported that the source URL in the Konqueror open-with dialog can be created in such a way that the user can be tricked into believing that the URL refers to a trusted site. Although recent Konqueror versions include the hostname in the dialog caption, the download dialog has room for improvement:

*) The originating host could be listed explicitly and untruncated in the dialog
*) There is currently no way to examine the complete URL. (e.g. via a tooltip)

Testcase follows

This issue is identical to Secunia adviory SA13599, which was released for Mozilla / Mozilla Firefox: http://secunia.com/advisories/13599/
Comment 1 Waldo Bastian 2005-01-04 16:00:13 UTC 
Created attachment 8913 [details]
testcase
Comment 2 Vincent Panel 2005-05-24 16:14:01 UTC 
Cosmetic bug and not really a security issue IMO.

1) You still see the full URL in the address bar
2) Konqueror developers could have chosen not to display any URL, like in some other browsers, but they show a truncated one which is better.
Comment 3 FiNeX 2009-10-03 14:55:07 UTC 
Is this bug still valid on KDE 4?