Bug 398140

Summary: Thumbnail generation causes execution of web page.
Product: [Frameworks and Libraries] kio-extras Reporter: boonhead.nl <bugs.kde.org>
Component: Thumbnails and previewsAssignee: Plasma Bugs List <plasma-bugs-null>
Status: RESOLVED UNMAINTAINED    
Severity: major CC: kde
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Neon   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description boonhead.nl 2018-09-02 01:39:21 UTC 
Premise:
As I'm changing the icon of my Application Menu in KDE, I opened the "Select Icon" dialog, I chose "Other icons", and "Browse". I get the Dolphin version of the "common open file dialog".

This dialog opens my home folder. In my home folder I have a sub-directory. This sub-directory contains a HTML file. The HTML file contains only a `<video>` tag with attribute `autoplay="true" loop="true" src="[..]`. (In my case `<video id="vidBanner" class="banner" autoplay="true" loop="true" src="https://static1.squarespace.com/static/5b5f03d47c93279793af2d46/t/5b86591bb8a045dcb8664a1c/1535531301739/short+commercial.mp4"></video>`)

Problem:
Dolphin's "common open file dialog" starts playing the video. I was baffled as sound was playing and I had no idea where it was coming from. I thought I was hacked or something.

If I remove the HTML file containing the `<video>`-tag, all behaves normal again.

The processes involved: thumbnail.so -> QtWebEngineProcess.

If video is being executed within the web page, I wonder what more can be executed.. and possibly exploited..
I have filed this bug as 'major' because I don't know how severe this issue actually is.. feel free to scale the severity down.

I'm using most recent version of KDE Neon 5.12.6, Frameworks 5.49.0, Qt 5.11.1.
Comment 1 Kai Uwe Broulik 2018-09-03 08:39:01 UTC 
The HTML thumbnailer has been removed. So this is technically "fixed".