Accessing FTP sites (e.g. with konqueror) results in a shortened url with an ellipsis (...) in the middle, resulting in authentication failure. This apparently was fixed upstream, but hasn't yet made it into portage, or has it? Reproducible: Always Steps to Reproduce: 1. Access a password-protected ftp site using konqueror & enter password using correct username 2. Watch the URL appear corrupted on the address-bar 3. navigate the ftp-site Actual Results: Get prompted for password again with pre-selected wrong username from corrupted URL Expected Results: Password should be remembered and/or URL correctly displayed. See related KDE bug at http://bugs.kde.org/show_bug.cgi?id=150973
This happens if you use long usernames. The original patch which causes it is a result of security bug 185603. Upstream "fixed" the problem by simply reverting the patch and calling for a better fix for the security issue which doesn't exist. As I don't like URL spoofing vulnerabilities I tend to *not* revert the patch in question but leave things as they are now. I'd like to get some input from the other members of the KDE herd, though.
(In reply to comment #1) > This happens if you use long usernames. The original patch which causes it is a > result of security bug 185603. Upstream "fixed" the problem by simply reverting > the patch and calling for a better fix for the security issue which doesn't > exist. > > As I don't like URL spoofing vulnerabilities I tend to *not* revert the patch > in question but leave things as they are now. I'd like to get some input from > the other members of the KDE herd, though. Forgive me for being obtuse here, but with some web providers, you are stuck with the username they give you. And I don't like URL spoofing vulnerabilities either, but I feel that leaving things as they are now, amounts to being part of the problem rather than being part of the solution! This "feature" is crippling some very basic functionality of KDE to the point of Konqueror becoming unusable as an ftp-client for rather a lot of folks. Please explain why you'd want to protect people from something they couldn't do anyway because of these "protection measures". Rendering people impotent may be an effective way of preventing VD, but I don't think it'll fly. IANAP, but there must be a better way of dealing with the original problem without lobotomizing essential functionality.
(In reply to comment #2) > Rendering people impotent may be an effective way of preventing VD, but I don't > think it'll fly. IANAP, but there must be a better way of dealing with the > original problem without lobotomizing essential functionality. I agree. There must be a better solution but at the moment I can choose between potentially letting *everyone* be spoofed into entering sensitive data into a fake website or preventing *some* people from using an insecure protocol (ftp) *if* they (have to) use long usernames. Get me a better solution and I'll gladly use it. I'm leaving this bug open in the hope of a) getting opinions from KDE herd and b) finding a better solution.
As I said 2 or 3 days ago to Wulf, but forgot to comment here, I think any patch that fixes a security bug should be used even if it causes some regression. If an user feels confident enough to be open to security exploits, he/she should be able to create an ebuild in a local overlay that doesn't apply or reverses the patch. Simply put, we have to choose between having every Gentoo user exposed to a security exploit or some users losing some funcionality, the choice is clear: security first.
If upstream provides a better patch to fix this problem, I'll gladly add it. I won't just revert the security patch, though.
