Bug 329687

Summary: previewing an HTML file from a local file system causes network retrievals while generating the thumbnail
Product: [Frameworks and Libraries] kio-extras Reporter: Hohyeis <hohyeis>
Component: Thumbnails and previewsAssignee: Plasma Development Mailing List <plasma-devel>
Status: RESOLVED FIXED    
Severity: major CC: de.meyer.maarten, nate, stefan.bruens
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: All   
URL: file:///
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Hohyeis 2014-01-07 12:06:09 UTC 
This can be observed in Dolphin 4.11.3 when a local HTML file is previewed which includes resources not on the local file system, such as inline images. The remote network resources are retrieved.

Reproducible: Always

Actual Results:  
The requests can be seen in a packet sniffer or, if errors occur retrieving files for the preview, on the TTY from which Dolphin was launched or a message in an error window. I forget which. The error messages are issued by kio_thumbnail .

Expected Results:  
Resources on non local file systems should not be retrieved. Among the reasons is that it a security compromise, leaking information by unintended network requests. The user does not expect network retrievals to happen when browsing folders which may contain saved HTML files.

The retrievals could be restricted to being on the same FS as the HTML file.
Where the HTML file is retrieved over the network, it would be best to restrict retrievals to the same protocol and host.
Alternatively, previewing an HTML file could not initiate retrieval of other files.

Since this is a security issue, I've marked this report as 'major' severity.
Comment 1 Maarten De Meyer 2014-09-26 20:27:24 UTC 
I think this is the expected behavior.

What if my html file uses a remote css file for styling? The thumbnail won't look anything like the page rendered in a browser.

I'm also not sure if this is such a big security concern, it 'leaks' the same information as if you would open it in firefox.
But I agree it's not ideal.

Thank you for looking into this.
Comment 2 Stefan BrĂ¼ns 2018-12-01 01:20:58 UTC 
The HTML thumbnailer has been removed completely:
https://phabricator.kde.org/D15095