https://bugs.kde.org/show_bug.cgi?id=316893 Just add this to track upstream and as potential blocker for kde-4.10.x stabilization.
As a workaround, I've disabled that option in the systemsettings gui in kde-base/systemsettings-4.10.1-r1 and later. That, however, is indeed only a workaround. Keeping the bug open.
Why is this a potential attack if someone can see pictures he is allowed to see?
(In reply to comment #2) > Why is this a potential attack if someone can see pictures he is allowed to > see? clear the filter (*.png, *.jpeg,...) and you can browse any file. You then can view/delete/rename the whole file system. As upstream mentions he does not now ATM what to do with it this might be a potential attack vector. But I realised something even worse: It is possible to "add widgets" on the locker and also download them through GHNS. Someone simply has to create a malicious script, upload it to kde-look.org, install it on the locker -> bang.
Actually, changing the widget configuration is not possible since while the screen is really locked the cashew is not accessible. Nevertheless, add one widget that calls a file dialog... I consider this fixed in Gentoo; I've additionally added rather trivial patches that * prevent building the required binary "plasma-overlay" (kde-base/plasma-workspace-4.10.1-r1) * make sure the plasma=true setting in the config file is ignored (kde-base/ksmserver-4.10.1-r1)
(In reply to Andreas K. Hüttel from comment #4) > Actually, changing the widget configuration is not possible since while the > screen is really locked the cashew is not accessible. Nevertheless, add one > widget that calls a file dialog... Probably it's time to revisit this issue? So, it seems that this is not a security issue, but a usability one. One just has to lock widgets before starting to use the lock screen. Adding unsafe widgets is also a user issue. Just don't add unsafe widgets and you're fine. Also, widgets already have to mark themselves as secure for lockscreen. My point is, this is not a good enough reason to completely remove the functionality.