Bug 486285

Summary: Limit characters used in filenames and warn for others and check for directory traversal
Product: [Frameworks and Libraries] frameworks-kio Reporter: myusualnickname <myusualnickname>
Component: Open/save dialogsAssignee: KIO Bugs <kio-bugs-null>
Status: REPORTED ---    
Severity: wishlist CC: fanzhuyifan, kdelibs-bugs-null
Priority: NOR    
Version First Reported In: 6.0.0   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description myusualnickname@gmail.com 2024-04-29 10:01:22 UTC 
I would like to warn users when certain characters are in a filename, or certain filenames match reserved words (com in windows?) that it will break compatibility.

Users have no reason to know that their filename choices can break stuff, so I would ask that an option to block creation of files with certain characters, or warn  users when creating files with certain characters that it may limit compatibility and suggest removing symbols. 

   This gets complicated when using unicode, so allow utf8 or utf16 may have to be a thing, but warning when the path is too long may also be needed.

I would set warn for things like *$!?><| to be default for creating a file, but then have a "don't warn me again" option in the dialog,  but have that warning be set to immutable by a higher priority config, and also make it so those filenames can be blocked by policy.

I would also have another level of warning for non typeable and non printable characters.   a unicode filter may be needed as people need to save files in their own language, and some of these bad characters may be escaped out to form a valid character.  So being able to show unicode control characters as ascii might also be a slick option.

I would also consider having a warning when opening a file with a bad name, but not sure on proper behavior.

I don't want a huge number of warnings to flood a computer when mounting a volume with malicious names and control characters



It may be argued that it is not the job of kde to block ../../../../ but it seems like it could cause problems.  The handling of folders was wonderful, it warned me that I could not create a file when I did ../../../../../../home/user/foo/bar/baz/file.txt  but when I made those directories it allowed the creation of the file.. it may be great behavior, but I will be deploying KDE in harsh enviornments.

testing this in Kate on Suse tumbleweed, I just learned about vulnerabilities in MySQL client because of directory traversal allowing loading of arbitrary code.

and it might be nice to do something to stop it. or ask the user if they meant to do it, I am guessing some applications may take an arbitrary string in and save a file there, and it may not even use the saveas dialog. 

This is a debatable thing because some power users might want to do it, but I'm going to be deploying the system
Comment 1 myusualnickname@gmail.com 2024-12-19 04:49:27 UTC 
This is fantastically important and is a security vulnerability.

Devices become unusable when bad filenames are propagated.

We need to both catch them as recipients and as exporters.