Bug 329687 - previewing an HTML file from a local file system causes network retrievals while generating the thumbnail
Summary: previewing an HTML file from a local file system causes network retrievals wh...
Status: RESOLVED FIXED
Alias: None
Product: kio-extras
Classification: Frameworks and Libraries
Component: Thumbnails and previews (show other bugs)
Version: unspecified
Platform: unspecified All
: NOR major
Target Milestone: ---
Assignee: Plasma Development Mailing List
URL: file:///
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-07 12:06 UTC by Hohyeis
Modified: 2018-12-01 01:20 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hohyeis 2014-01-07 12:06:09 UTC
This can be observed in Dolphin 4.11.3 when a local HTML file is previewed which includes resources not on the local file system, such as inline images. The remote network resources are retrieved.

Reproducible: Always

Actual Results:  
The requests can be seen in a packet sniffer or, if errors occur retrieving files for the preview, on the TTY from which Dolphin was launched or a message in an error window. I forget which. The error messages are issued by kio_thumbnail .

Expected Results:  
Resources on non local file systems should not be retrieved. Among the reasons is that it a security compromise, leaking information by unintended network requests. The user does not expect network retrievals to happen when browsing folders which may contain saved HTML files.

The retrievals could be restricted to being on the same FS as the HTML file.
Where the HTML file is retrieved over the network, it would be best to restrict retrievals to the same protocol and host.
Alternatively, previewing an HTML file could not initiate retrieval of other files.

Since this is a security issue, I've marked this report as 'major' severity.
Comment 1 Maarten De Meyer 2014-09-26 20:27:24 UTC
I think this is the expected behavior.

What if my html file uses a remote css file for styling? The thumbnail won't look anything like the page rendered in a browser.

I'm also not sure if this is such a big security concern, it 'leaks' the same information as if you would open it in firefox.
But I agree it's not ideal.

Thank you for looking into this.
Comment 2 Stefan Brüns 2018-12-01 01:20:58 UTC
The HTML thumbnailer has been removed completely:
https://phabricator.kde.org/D15095