Bug 461564

Summary: Dolphin displays thumbnails of files without read access
Product: [Applications] dolphin Reporter: genetin
Component: view-engine: generalAssignee: Dolphin Bug Assignee <dolphin-bugs-null>
Status: CONFIRMED ---    
Severity: major CC: dimitri.code, justin, kfm-devel
Priority: NOR    
Version First Reported In: 19.12.3   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description genetin 2022-11-07 23:09:59 UTC 
Dolphin displays thumbnails of files, even if you do not have read access to these files.
I set the severity of this bug to "major" because there is a security issue : the content of a file that is not readable mustn't be displayed.

STEPS TO REPRODUCE
1. Create a file "a.jpg" and display its thumbnail in Dolphin
2. chmod 0 a.jpg
3. Refresh Dolphin display (or even quit Dolphin and restart it)

OBSERVED RESULT
The thumbnail of a.jpg is still displayed (although you have no right to see the content of the file).

EXPECTED RESULT
No thumbnail should be displayed for files you are not allowed to read.
Comment 1 Dimitri 2025-01-05 14:39:51 UTC 
I agree. And it's what is asked by the standard : "Programs should first check that the original image file is readable. If it is not, the program should not attempt to read a thumbnail from the cache, and it should not save any information in the cache (including "failed" thumbnails)."
https://specifications.freedesktop.org/thumbnail-spec/latest/thumbsave.html#id-1.7.7

This usually isn't a problem because having access to the thumbnail means that the user had access to the file before.
But it become an issue if someone try to save space by sharing the thumbnail folder between multiple people with different level of access.
Comment 2 Justin Zobel 2025-02-08 01:36:25 UTC 
Can confirm that the thumbnail is still shown if there are no read permissions on the file.