Bug 318743

Summary: Accessing webdav kio will complain about security issue
Product: [Unmaintained] kio Reporter: Weng Xuetian <wengxt>
Component: webdavAssignee: kdelibs bugs <kdelibs-bugs-null>
Status: RESOLVED INTENTIONAL    
Severity: normal CC: adawit, christopher.m.braeuer
Priority: NOR    
Version First Reported In: 4.10.2   
Target Milestone: ---   
Platform: Chakra   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Weng Xuetian 2013-04-23 01:16:23 UTC 
usually, owncloud or some other webdav will not under root directory of a website, 

webdavs://USER@exmaple.com:443/owncloud/remote.php/webdav/

however, kio seems want to stat all the parent directory in that path, with webdavs://USER@exmaple.com:443/ , webdavs://USER@exmaple.com:443/owncloud, and webdavs://USER@exmaple.com:443/owncloud/remote.php

,which results in passing authentication infomation when it's not required. And kdelibs add a new feature (at least since 4.9) about warning if website doesn't require authentication, which is annoying when access webdav based folder.

Reproducible: Always

Steps to Reproduce:
1. access owncloud's webdav folder in dolphin
Actual Results:  
some dialog jumps out complain about "is this site you really want to access".

Expected Results:  
without such warning.
Comment 1 Dawit Alemayehu 2013-10-12 15:12:17 UTC 
That is because you have "USER@" in the url while accessing a webserver that does not require authentication. Why do you specify a username in the url?

BTW, you can disable this potential spoofing check in kio_http by adding "no-spoof-check=true" to $KDEHOME/share/config/kio_httprc. If you want to only disable it for this particular host, add it under [example.com] section.
Comment 2 Christopher Bräuer 2013-10-21 13:48:32 UTC 
Maybe this has to do with the bug, I reported:
https://bugs.kde.org/show_bug.cgi?id=323038
Comment 3 Dawit Alemayehu 2014-03-08 20:49:51 UTC 
It is not kio_webdav that does this but the directory lister that Dolphin uses. KIOslaves like kio_webdav only fulfill the request they receive. They do not perform additional requests on their own.
Comment 4 Dawit Alemayehu 2014-09-27 15:17:52 UTC 
We cannot remove the spoof check since it was added for security purposes. There are two solutions to this problem:

1.) Do not automatically added your username to the URL you enter in the address bar.
2.) Disable the spoof check for that host by setting the "no-spoof-check" parameter to true in $HOME/.kde/share/config/kio_httprc:

[example.com]
no-spoof-check=true

- Removing the hostname section, [example.com], will make that setting global and disable the URL spoof checking code completely.