Bug 181542 - A link to remote .sh in a mail message leads to a script execution
Summary: A link to remote .sh in a mail message leads to a script execution
Status: RESOLVED FIXED
Alias: None
Product: kmail
Classification: Unmaintained
Component: general (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR normal
Target Milestone: ---
Assignee: kdepim bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-21 23:41 UTC by Michael
Modified: 2009-03-19 00:52 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Michael 2009-01-21 23:41:46 UTC 
Version:           KMail Version 1.10.92 Using KDE 4.1.87 (KDE 4.1.87 (KDE 4.2 >= 20090101)) "release 3.1" (using Devel)
OS:                Linux
Installed from:    Compiled sources

That is terribly wrong. Just wrong. Programs sent by email should never be executed. My 50 years old aunt will click on it and will click on "Yes" to execute the script without even reading the message.

1. Get an email with (http|ftp)://server/script.sh
2. Click on the link ( expect save and download here)
3. Get the message: Do you really want to execute (http|ftp)://server/script.sh?
4. Bite the dust with your NOPASSWD suduers file or IRC bot installed on unprivileged port.

I am not sure if it is really kmail fault that most probably just passes the link to kdelibs. But isn't it obvious that kmail has to block such things?

I am not paranoid, but I don't want to get outlook express back again after 8 years w/o it. So ho pe and you.
Comment 1 Jaime Torres 2009-02-01 12:42:19 UTC 
I totally agree.
Even when I've tried such file it opened me kwrite without asking me what to do with the file (may be because of the mime-type).

Kmail should not provide a way to execute linked or attached content.
Comment 2 Thomas McGuire 2009-03-19 00:52:05 UTC 
Fixed with r927077.