Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 200175 - kde-base/kioslaves-3.5.8: kurl prettyURL corrupts original URLs
Summary: kde-base/kioslaves-3.5.8: kurl prettyURL corrupts original URLs
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] KDE (show other bugs)
Hardware: x86 Linux
: High major
Assignee: Gentoo KDE team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-24 13:08 UTC by Sönke N. Greimann
Modified: 2007-12-16 23:26 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke N. Greimann 2007-11-24 13:08:49 UTC
Accessing FTP sites (e.g. with konqueror) results in a shortened url with an ellipsis (...) in the middle, resulting in authentication failure.

This apparently was fixed upstream, but hasn't yet made it into portage, or has it?

Reproducible: Always

Steps to Reproduce:
1. Access a password-protected ftp site using konqueror & enter password using correct username
2. Watch the URL appear corrupted on the address-bar 
3. navigate the ftp-site

Actual Results:  
Get prompted for password again with pre-selected wrong username from corrupted URL

Expected Results:  
Password should be remembered and/or URL correctly displayed.

See related KDE bug at http://bugs.kde.org/show_bug.cgi?id=150973
Comment 1 Wulf Krueger (RETIRED) gentoo-dev 2007-12-02 14:44:38 UTC
This happens if you use long usernames. The original patch which causes it is a result of security bug 185603. Upstream "fixed" the problem by simply reverting the patch and calling for a better fix for the security issue which doesn't exist.

As I don't like URL spoofing vulnerabilities I tend to *not* revert the patch in question but leave things as they are now. I'd like to get some input from the other members of the KDE herd, though.
Comment 2 Sönke N. Greimann 2007-12-02 19:52:23 UTC
(In reply to comment #1)
> This happens if you use long usernames. The original patch which causes it is a
> result of security bug 185603. Upstream "fixed" the problem by simply reverting
> the patch and calling for a better fix for the security issue which doesn't
> exist.
> 
> As I don't like URL spoofing vulnerabilities I tend to *not* revert the patch
> in question but leave things as they are now. I'd like to get some input from
> the other members of the KDE herd, though.

Forgive me for being obtuse here, but with some web providers, you are stuck with the username they give you. And I don't like URL spoofing vulnerabilities either, but I feel that leaving things as they are now, amounts to being part of the problem rather than being part of the solution!

This "feature" is crippling some very basic functionality of KDE to the point of Konqueror becoming unusable as an ftp-client for rather a lot of folks. Please explain why you'd want to protect people from something they couldn't do anyway because of these "protection measures".

Rendering people impotent may be an effective way of preventing VD, but I don't think it'll fly. IANAP, but there must be a better way of dealing with the original problem without lobotomizing essential functionality.
Comment 3 Wulf Krueger (RETIRED) gentoo-dev 2007-12-02 20:28:51 UTC
 (In reply to comment #2)
> Rendering people impotent may be an effective way of preventing VD, but I don't
> think it'll fly. IANAP, but there must be a better way of dealing with the
> original problem without lobotomizing essential functionality.

I agree. There must be a better solution but at the moment I can choose between potentially letting *everyone* be spoofed into entering sensitive data into a fake website or preventing *some* people from using an insecure protocol (ftp) *if* they (have to) use long usernames. Get me a better solution and I'll gladly use it.

I'm leaving this bug open in the hope of a) getting opinions from KDE herd and b) finding a better solution.
Comment 4 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2007-12-05 15:52:44 UTC
As I said 2 or 3 days ago to Wulf, but forgot to comment here, I think any patch that fixes a security bug should be used even if it causes some regression.
If an user feels confident enough to be open to security exploits, he/she should be able to create an ebuild in a local overlay that doesn't apply or reverses the patch.
Simply put, we have to choose between having every Gentoo user exposed to a security exploit or some users losing some funcionality, the choice is clear: security first.
Comment 5 Wulf Krueger (RETIRED) gentoo-dev 2007-12-16 23:26:28 UTC
If upstream provides a better patch to fix this problem, I'll gladly add it. I won't just revert the security patch, though.