| Summary: | [testcase] Failed http: to local file: link within HTML frame. | ||
|---|---|---|---|
| Product: | [Applications] konqueror | Reporter: | Mary <mary> |
| Component: | khtml | Assignee: | Konqueror Developers <konq-bugs> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | minor | CC: | ana, dap78, lex.lists, peter_e |
| Priority: | NOR | Keywords: | triaged |
| Version: | 4.0.3 | ||
| Target Milestone: | --- | ||
| Platform: | Compiled Sources | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
Subject: Re: New: Failed http: to local file: link within HTML frame.
Am Sonntag 08 Februar 2004 20:03 schrieb Mary:
> The checkLinkSecurity test in kdelibs/khtml/khtml_part.cpp is performed
> twice for the above case. First as a warning in KHTMLPart::urlSelected, and
> again as an error in KHTMLPart::requestObject(khtml::ChildFrame *child
> ....)
Is this any important? Ok, you got two errors for this constructed case, but
why care?
Greetings, Stephan
The second message is an error and denies access unconditionally. This sort of link is normally not good practice, but it is occasionally useful. Useful? In security exploits possibly. Sure. So allow it or deny it, but don't offer the option to Follow the link, and then immediately deny access for the same reason. This bug is no big deal - just logged as a minor inconsistency producing slightly confusing behaviour. A user can circumvent the check completely with "Open in New Tab". *** Bug 117584 has been marked as a duplicate of this bug. *** I still see the same behavior in 3.5.4... it seems to me like if the user accepts the warning, the error should not appear. Will attach a simple patch to do that, opinions? a patch would be a nice idea. multiple users experincing the problem --> confirm Confirmed problem still exists in 4.0.3 is exactly as described above. testcase added at http://nicgould.f2s.com/kde/test.html click on the link you get this warning: This untrusted page links to file:///etc/hosts. Do you want to follow the link? After clicking on 'follow' get this second error: Access by untrusted page to file:///etc/hosts denied. Is this report still relevant for Konqueror 4.8.4 or later? If yes, please update the version field, otherwise close this bug. Thank you. This is still problem for Konqueror 4.9. Eg. I tried to upload images for a note with drag'n'drop from digikam at https://drive.google.com/keep/ but can't. Sorry, now I think my problem with Google Keep is other problem.. Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days, the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please set the bug status as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone! Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone! |
Version: (using KDE KDE 3.2.0) Installed from: Compiled From Sources Compiler: gcc-2.95.3 OS: Linux When a file: or other local resource is referenced from within an untrusted http: page, a warning is normally displayed, allowing the user to Follow or Cancel the link. If the link to a local file is within a frame, the usual warning is shown, but selecting "Follow" generates a second error message refusing the link. This was seen in both KDE-3.1.1 & KDE 3.2.0. "This untrusted page contains a link file:/etc/hosts to your local file system." Reproduce with : Frameset accessed via HTTP <html> <frameset> <frame src="frame.html" name="frame"> </frameset> </html> Where frame.html contains a local reference <html> <a href="file:/etc/hosts">Local link to file:/etc/hosts</a> </html> Discussion: The checkLinkSecurity test in kdelibs/khtml/khtml_part.cpp is performed twice for the above case. First as a warning in KHTMLPart::urlSelected, and again as an error in KHTMLPart::requestObject(khtml::ChildFrame *child ....) Removing the second check makes this case work as expected (ie. just the one warning with an option to Follow the link), but what other loop-holes does it open ?