Summary: | Make "filename" attribute take precedence to "name" attribute | ||
---|---|---|---|
Product: | [Applications] kmail2 | Reporter: | Bernd Oliver Sünderhauf <pancho.s> |
Component: | general | Assignee: | kdepim bugs <kdepim-bugs> |
Status: | RESOLVED UNMAINTAINED | ||
Severity: | normal | CC: | montel |
Priority: | NOR | ||
Version: | 4.10 pre | ||
Target Milestone: | --- | ||
Platform: | Ubuntu | ||
OS: | Linux | ||
Latest Commit: | http://commits.kde.org/kdepim/b7f82d208fe74043ecc11d63f718e8b5b9b7b06b | Version Fixed In: | 4.10 |
Sentry Crash Report: | |||
Attachments: |
test case
another test case regarding aspect #3 |
Description
Bernd Oliver Sünderhauf
2012-12-04 19:30:55 UTC
Created attachment 75625 [details]
test case
I confirm it. will look at soon Git commit b7f82d208fe74043ecc11d63f718e8b5b9b7b06b by Montel Laurent. Committed on 05/12/2012 at 08:37. Pushed by mlaurent into branch 'master'. Fix Bug 311158 - Attachment properties dialog doesn't understand "filename" attribute FIXED-IN: 4.10 M +1 -1 messagecore/attachmentpropertiesdialog.cpp http://commits.kde.org/kdepim/b7f82d208fe74043ecc11d63f718e8b5b9b7b06b Created attachment 75633 [details]
another test case regarding aspect #3
Regarding aspect #3, the case of contradicting filename and name properties, here's a second test case: filename says "dangerouscode.doc", while name says "justsome.txt". Now,
- Enterprise or fancy headers pretends "justsome.txt" and shouldn't
- Editing the message pretends "justsome.txt" and shouldn't
This is security-relevant just because the file is correctly saved to "dangerouscode.doc"
Other places seem to be fine.
The case of contradicting MIME headers and filename extensions might also be security relevant, but is not subject of this bug ticket.
Finally, aspect #4 should be split off to a separate ticket.
Aspect #4 is now split off to the new Bug #311179. Reopening as a normal bug because of security implications. So what we must to show ?: name or filename ? "filename" is the RFC-standard attribute, according to the IETF (see http://www.imc.org/ietf-smtp/mail-archive/msg05023.html). The "name" attribute isn't RFC-standard (and has been only erroneously for some limited time). Mostly it is only result of a wrong but widespread implementation, so for compatibility it is still recommended to be sent as a redundancy, but shouldn't take precedence when receiving a message. (This is potentially security-relevant. Still I'm aware and sorry that these are nit-picking details compared to the "real", the major bugs that are still waiting to be fixed... :) But in the end, I can (and will) just report whatever I come across. Thanks for being so responsive!) This bug has only been reported for versions before 4.14, which have been unsupported for at least two years now. Can anyone tell if this bug still present? If noone confirms this bug for a Framework-based version of kmail2 (version 5.0 or later, as part of KDE Applications 15.12 or later), it gets closed in about three months. Just as announced in my last comment, I close this bug. If you encounter it again in a recent version (at least 5.0 aka 15.08), please open a new one unless it already exists. Thank you for all your input. |