Bug 226090

Summary: Filesystem browser lookahead on typing sftp (& ftp) should be disabled before connected to the server.
Product: [Unmaintained] kdelibs Reporter: James Sleeman <james>
Component: kdeuiAssignee: KWrite Developers <kwrite-bugs-null>
Status: RESOLVED WORKSFORME    
Severity: normal CC: christoph, faure
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: wireshark summary trace (ssh port only, IP censored)
Typign a correct URL trace.

Description James Sleeman 2010-02-10 02:04:39 UTC 
Version:           3.3.5 (using KDE 4.3.5)
OS:                Linux
Installed from:    Ubuntu Packages

With the file system browser open, if you type in a new sftp url location, while you are typing a lookahead occurs on the sftp url which includes trying to connect to the partial url.  

Depending on how fast and accurately you type, this can result in attempted connects to non existent, or incorrect servers.  With incorrect usernames, incorrect passwords etc.  

Many servers particularly when using SFTP, will detect multiple connect attempts and either rate limit (forced delay of a minute or more) or simply firewall your IP, thinking that you a possible threat.

The file system browser should NOT try to lookahead when you are typing in an sftp url unless you are already connected to that server.  It should only be permitted to connect to the server when the user hits the enter key.

I expect this bug is related to...
https://bugs.kde.org/show_bug.cgi?id=168908 
https://bugs.kde.org/show_bug.cgi?id=108812
Comment 1 Christoph Cullmann 2010-02-17 19:25:43 UTC 
I think this is a problem of the input field we use, kurlnavigator or kdiroperator, therefor passing to kdelibs component.
Comment 2 David Faure 2010-02-18 21:35:22 UTC 
[Context: application for testing this is kate, this info was lost when reassigning]

I don't see a dialog box popping up, so this isn't bug 108812.

I do see that the completion is trying to connect to the host once the hostname is complete (i.e. after typing the '/'), but that's fine, isn't it? It helps completing paths even on remote hosts, just like in konqueror. I don't see the bug.
Comment 3 James Sleeman 2010-02-18 23:25:53 UTC 
It's a bug (IMHO) because of the fore-mentioned reason, typos cause undesired incorrect connection attempts, which many hosts will kill you for (at least for a few minutes).  

Also, I'm pretty sure I see it making connection attempts before the / is hit, or multiple attempts during the same "typing" (perhaps it's doing so after every /).  

I have also had it prompting for passwords multiple times when just typing in a long url.

I'll see if I can do some more detailed look at the behaviour and report further.
Comment 4 James Sleeman 2010-02-23 01:50:06 UTC 
I looked closer to reproduce.

Here is the main problem

It is true it does not try to connect until you type the first slash.  

BUT, if you cursor back, and edit the URL without removing that slash, you get many many connection attempts (ie every keystroke).

Eg: type in first
  sftp://typouser@typohost/
the first connection attempt is when you type /, now if you are like me (most people?) before you hit enter you look and see there are typos, you cursor back and correct,
  sftp://REALuser@REALhost/
you get many many bad connection attempts while correcting the user and host, especially bad if you typo the user because many (most) servers will see all these bad connection attempts and firewall you.

You may also get prompted by the SSH process may times for password etc.

I'll attach a summary wireshark trace of some action purely generated from typing and correcting in the field.  Of note I typed only 1 slash in the whole process, then cursored (or moused) to backspace and "correct" (or miscorrect) entries, this triggers the hammering of the servers.
Comment 5 James Sleeman 2010-02-23 01:57:17 UTC 
Created attachment 41022 [details]
wireshark summary trace (ssh port only, IP censored)
Comment 6 James Sleeman 2010-02-23 01:59:35 UTC 
I think a reasonably compromise solution would be to only attempt connections
 a) when the cursor is at the END of the string (and a slash has been typed), and;
 b) when the user hits enter (of course)

If a user is typing in the middle of the string (url), then it should not be trying to connect and "lookahead" there (how could it usefully lookahead in that case anyway)?
Comment 7 James Sleeman 2010-02-24 04:39:26 UTC 
Here's another trace I will attach in a second, I started with a url already in the file location input, I highlighted and deleted, then typed in an entirely correct (sftp) url, 

  sftp://*******@phi/home/*******/

(this censored url is correct in it's length, phi resolves to a server through a hosts file)

look at all the connection attempts in the log for this typing, even after the first slash is typed it looks like just about every keystroke causes an attempt. Look at the times to see how rapidly all those SYNS got fired off.

Even deleting the url in one-swoop at the start caused SSH activity (I assume from the "previous" connection, trying a lookahead on... nothing).

The server promptly locked me out for several minutes thinking I was doing a denial of service or something.
Comment 8 James Sleeman 2010-02-24 04:45:24 UTC 
Created attachment 41048 [details]
Typign a correct URL trace.
Comment 9 David Faure 2010-10-13 01:24:41 UTC 
commit 23f6dc47ef8e8008161cb4e0d0c8016fa7d4dc75
Author: David Faure <faure@kde.org>
Date:   Wed Oct 13 01:14:19 2010 +0200

    Use KIO::stat rather than KIO::NetAccess::stat so that we can pass HideProgressInfo, otherwise a progress
    dialog would pop up at every keystroke while typing the hostname of sftp://hostname.
    
    CCBUG: 226090
    (that bug was for kate, if I understand correctly, so probably the same fix has to be done there)
    CCMAIL: dhdev@gmx.de

diff --git a/shell/openprojectdialog.cpp b/shell/openprojectdialog.cpp
index 07a3eee..19e3de9 100644
--- a/shell/openprojectdialog.cpp
+++ b/shell/openprojectdialog.cpp
@@ -23,6 +23,7 @@
 #include <kio/netaccess.h>
 #include <kio/udsentry.h>
 #include <kio/job.h>
+#include <kio/jobuidelegate.h>
 
 #include <kdebug.h>
 
@@ -85,11 +86,13 @@ void OpenProjectDialog::validateOpenUrl( const KUrl& url )
             isDir = info.isDir();
             extension = info.suffix();
         }
-    } else 
+    } else
     {
-        KIO::UDSEntry entry;
-        isValid = KIO::NetAccess::stat( url, entry, Core::self()->uiControllerInternal()->defaultMainWindow() );
+        KIO::StatJob* statJob = KIO::stat( url, KIO::HideProgressInfo );
+        statJob->ui()->setWindow( Core::self()->uiControllerInternal()->defaultMainWindow() );
+        isValid = statJob->exec(); // TODO: do this asynchronously so that the user isn't blocked while typing every letter of the hostname in sftp://hostname
         if ( isValid ) {
+            KIO::UDSEntry entry = statJob->statResult();
             isDir = entry.isDir();
             extension = QFileInfo( entry.stringValue( KIO::UDSEntry::UDS_NAME ) ).suffix();
         }
Comment 10 David Faure 2010-10-13 01:27:09 UTC 
Sorry my comment #9 was unrelated, that kdevelop fix was about removing progress dialogs, but this bug here is about connecting at all. Ignore my last comment please.
Comment 11 David Faure 2010-10-13 13:34:02 UTC 
commit 2ce773624eb67876561eb7a254b806d9f83f29a7
Author: David Faure <faure@kde.org>
Date:   Wed Oct 13 01:14:19 2010 +0200

    Use KIO::stat rather than KIO::NetAccess::stat so that we can pass HideProgressInfo, otherwise a progress
    dialog would pop up at every keystroke while typing the hostname of sftp://hostname.
    
    CCBUG: 226090
    (that bug was for kate, if I understand correctly, so probably the same fix has to be done there)
    CCMAIL: dhdev@gmx.de

diff --git a/shell/openprojectdialog.cpp b/shell/openprojectdialog.cpp
index 07a3eee..19e3de9 100644
--- a/shell/openprojectdialog.cpp
+++ b/shell/openprojectdialog.cpp
@@ -23,6 +23,7 @@
 #include <kio/netaccess.h>
 #include <kio/udsentry.h>
 #include <kio/job.h>
+#include <kio/jobuidelegate.h>
 
 #include <kdebug.h>
 
@@ -85,11 +86,13 @@ void OpenProjectDialog::validateOpenUrl( const KUrl& url )
             isDir = info.isDir();
             extension = info.suffix();
         }
-    } else 
+    } else
     {
-        KIO::UDSEntry entry;
-        isValid = KIO::NetAccess::stat( url, entry, Core::self()->uiControllerInternal()->defaultMainWindow() );
+        KIO::StatJob* statJob = KIO::stat( url, KIO::HideProgressInfo );
+        statJob->ui()->setWindow( Core::self()->uiControllerInternal()->defaultMainWindow() );
+        isValid = statJob->exec(); // TODO: do this asynchronously so that the user isn't blocked while typing every letter of the hostname in sftp://hostname
         if ( isValid ) {
+            KIO::UDSEntry entry = statJob->statResult();
             isDir = entry.isDir();
             extension = QFileInfo( entry.stringValue( KIO::UDSEntry::UDS_NAME ) ).suffix();
         }
Comment 12 Andrew Crouthamel 2018-11-05 03:10:11 UTC 
Dear Bug Submitter,

This bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? I am setting the status to NEEDSINFO pending your response, please change the Status back to REPORTED when you respond.

Thank you for helping us make KDE software even better for everyone!
Comment 13 Andrew Crouthamel 2018-11-16 05:24:11 UTC 
Dear Bug Submitter,

This is a reminder that this bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version?

Thank you for helping us make KDE software even better for everyone!
Comment 14 Justin Zobel 2022-12-09 22:13:08 UTC 
Thank you for reporting this issue in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version?

If you can reproduce the issue, please change the status to "REPORTED" when replying. Thank you!
Comment 15 Bug Janitor Service 2022-12-24 05:23:19 UTC 
Dear Bug Submitter,

This bug has been in NEEDSINFO status with no change for at least
15 days. Please provide the requested information as soon as
possible and set the bug status as REPORTED. Due to regular bug
tracker maintenance, if the bug is still in NEEDSINFO status with
no change in 30 days the bug will be closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

If you have already provided the requested information, please
mark the bug as REPORTED so that the KDE team knows that the bug is
ready to be confirmed.

Thank you for helping us make KDE software even better for everyone!
Comment 16 Bug Janitor Service 2023-01-08 05:16:34 UTC 
This bug has been in NEEDSINFO status with no change for at least
30 days. The bug is now closed as RESOLVED > WORKSFORME
due to lack of needed information.

For more information about our bug triaging procedures please read the
wiki located here:
https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging

Thank you for helping us make KDE software even better for everyone!