Version: (using KDE 4.4.2) OS: Linux Installed from: Fedora RPMs Current same-origin policy in khtml allows XMLHTTPRequest()s from local files to arbitrary http/https/webdav sites. This has security implications and is inconsistent with other html engines (gecko, webkit) and even with other similar cases where khtml does not allow cross-domain access. The problem was reported by Tim Brown and covered by: http://www.ocert.org/advisories/ocert-2009-015.html In response to that, the patch was applied that only allows http* and webdav* protocols in XHR, and KDE advisory was published: http://websvn.kde.org/?view=revision&revision=1035538 http://www.kde.org/info/security/advisory-20091027-1.txt However, with the fix applied, javascript in local file can still access arbitrary http* URLs and hence can be used to "steal" data from user's authenticated sessions to some internet site, or some internal intranet web sites, and post them to other remote host. Is there a reason to not drop "a local file can load anything" privilege? Any use case that may get broken by such fix? It seems previous fix already bit some users: http://forum.kde.org/viewtopic.php?f=18&t=83649 Here is what other browsers / engines do with XHR from local files: - firefox - allows file:// requests, only to current directory / sub-directories; http:// access not allowed - webkit - allows file:// access, but not remote - chromium - recent versions seem to block file:// completely
Created attachment 43047 [details] Simple test case Save to a local .html file, open in konqueror. It uses XHR to access bugs.kde.org to figure out you email address (if you're logged in) and makes a query to a remote site (well, localhost is used by default, but you can change to google to see what it knows about you) with the email in the query.
That's true, but as far as I see, it's not like closing this path really changes anything, as one can still do web access with things like: 1) img src 2) script src 3) form submit
(In reply to comment #2) > That's true, but as far as I see, it's not like closing this path really > changes anything, as one can still do web access with things like: Sorry, can you clarify? This request is not about blocking remote access, but rather about blocking passing of data from one domain to another. Or do I misunderstand your reply? Thanks!
Gah, sorry, I misread. You're right, this is worse, since this also offers read access, and so can steal things like sessions and bypass firewalls. Actually, I think we need to do a bit more, and limit XSS access to things like iframe/object when it comes to files, too, perhaps the way firefox does, since otherwise it's not too hard to steal things like cookies. At any rate, I can't really be sure of what any local uses might be, though. Even your link comes as a surprise to me (well, I did use local XHR for testcasing stuff, but that's not what normal people do). Though, for iframes things like downloading a page requires a lot of care with subdirs and the like.
So, any updates on this? Was the issue pointed out by Tomas Hoger addressed? (1½ years have passed…)
Dear Bug Submitter, This bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? I am setting the status to NEEDSINFO pending your response, please change the Status back to REPORTED when you respond. Thank you for helping us make KDE software even better for everyone!
Dear Bug Submitter, This is a reminder that this bug has been stagnant for a long time. Could you help us out and re-test if the bug is valid in the latest version? This bug will be moved back to REPORTED Status for manual review later, which may take a while. If you are able to, please lend us a hand. Thank you for helping us make KDE software even better for everyone!
Thank you for reporting this issue in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version? If you can reproduce the issue, please change the status to "REPORTED" when replying. Thank you!
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone!
This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone!