Bug 94812

Summary: popup windows from Konqueror have a security bug
Product: [Applications] konqueror Reporter: Giovanni Venturi <giovanni>
Component: generalAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: normal    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: security.png

Description Giovanni Venturi 2004-12-10 14:39:22 UTC
Version:           3.2.0 (using KDE 3.2 BRANCH >= 20040204, Mandrake Linux Cooker i586 - Cooker)
Compiler:          gcc version 3.3.2 (Mandrake Linux 10.0 3.3.2-6mdk)
OS:                Linux (i686) release 2.6.3-4mdkenterprise

The browser Konqueror 3.x has a big security bug:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
Comment 1 Stephan Binner 2004-12-10 16:45:12 UTC
> The browser Konqueror 3.x has a big security bug

How can you tell about all 3.x when you only run 3.2?

Fixed in 3.3.1 and up iirc.
Comment 2 Giovanni Venturi 2004-12-10 23:05:00 UTC
> > The browser Konqueror 3.x has a big security bug
>
> How can you tell about all 3.x when you only run 3.2?
>
Here: http://secunia.com/advisories/13254/
> Fixed in 3.3.1 and up iirc.
Well, then I don't understand why with my KDe 3.3.2post (from KDE_3_3_BRACH of 
yesterday) the test is positive and Konqueror has yet this security, bug. I 
tested it few minutes ago. Are you sure is it fixed? Maybe in KDE HEAD?
I think this bug should be reopened.

Comment 3 Maksim Orlovich 2004-12-10 23:06:25 UTC
I think you should contact security@kde.org and not use bugzilla for any security concerns. Thanks.
Comment 4 Giovanni Venturi 2004-12-10 23:10:19 UTC
a screenshot of the presence of the bug.


Created an attachment (id=8611)
security.png
Comment 5 Giovanni Venturi 2004-12-10 23:27:00 UTC
I've just seen: http://www.kde.org/info/security/advisory-20040811-3.txt
then the bug was fixed, but it seems be there, no? Then this bug is invalid, 
or not?
Comment 6 Giovanni Venturi 2004-12-10 23:29:46 UTC
Sorry for all these reply I'm trying to check, but it's not the same advisory.

Comment 7 Waldo Bastian 2004-12-12 16:44:56 UTC
CVS commit by waba: 

Let findFrameParent check framename against name of current part if the part is 
a toplevel part.
CCBUG: 94812


  M +4 -1      khtml_part.cpp   1.1060


--- kdelibs/khtml/khtml_part.cpp  #1.1059:1.1060
@@ -4807,5 +4807,5 @@ KHTMLPart::findFrameParent( KParts::Read
 {
 #ifdef DEBUG_FINDFRAME
-  kdDebug(6050) << "KHTMLPart::findFrameParent: this = " << this << " URL = " << m_url << " findFrameParent( " << f << " )" << endl;
+  kdDebug(6050) << "KHTMLPart::findFrameParent: this = " << this << " URL = " << m_url << " name = " << name() << " findFrameParent( " << f << " )" << endl;
 #endif
   // Check access
@@ -4815,4 +4815,7 @@ KHTMLPart::findFrameParent( KParts::Read
      return 0;
 
+  if (!childFrame && !parentPart() && (name() == f))
+     return this;
+
   FrameIt it = d->m_frames.find( f );
   const FrameIt end = d->m_frames.end();


Comment 8 Waldo Bastian 2004-12-12 16:47:46 UTC
CVS commit by waba: 

Check domain-restrictions before opening new page in existing window
CCBUG: 94812


  M +11 -7     konq_mainwindow.cc   1.1378


--- kdebase/konqueror/konq_mainwindow.cc  #1.1377:1.1378
@@ -2272,4 +2272,15 @@ KonqView * KonqMainWindow::childView( KP
     kdDebug() << "       - viewName=" << viewName << "   "
               << "frame names:" << view->frameNames().join( "," ) << endl;
+
+    // First look for a hostextension containing this frame name
+    KParts::BrowserHostExtension *ext = KParts::BrowserHostExtension::childObject( view->part() );
+    if ( ext )
+    {
+      ext = ext->findFrameParent(callingPart, name);
+      kdDebug() << "BrowserHostExtension found part " << ext << endl;
+      if (!ext)
+         continue; // Don't use this window
+    }
+
     if ( !viewName.isEmpty() && viewName == name )
     {
@@ -2282,11 +2293,4 @@ KonqView * KonqMainWindow::childView( KP
     }
 
-    // First look for a hostextension containing this frame name
-    KParts::BrowserHostExtension *ext = KParts::BrowserHostExtension::childObject( view->part() );
-    if ( ext )
-    {
-      ext = ext->findFrameParent(callingPart, name);
-    }
-
 //    KParts::BrowserHostExtension* ext = KonqView::hostExtension( view->part(), name );
 


Comment 9 Waldo Bastian 2004-12-12 17:28:48 UTC
reopen
Comment 10 Waldo Bastian 2004-12-12 17:29:53 UTC
Fixed. Security advisory will follow.
Comment 11 Giovanni Venturi 2004-12-12 20:54:24 UTC
Is it possible a backport to, at least, 3.3.x?

Comment 12 David Faure 2004-12-13 17:36:24 UTC
It has been backported to 3.3-branch and 3.2-branch.