Bug 532428
Summary: | kdelibs: unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bressers, jgrulich, jreznik, kevin, rdieter, than |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-21 22:45:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 532021 |
Description
Tomas Hoger
2009-11-02 10:12:52 UTC
Note: This fix does not seem to mitigate all risks of malicious JavaScript in local files, as access to arbitrary remote URLs still seems to be allowed. I'll prepare and commit patches for Fedora, as a start. Upstream bug report to track the issue mentioned in comment #1: https://bugs.kde.org/show_bug.cgi?id=235468 Oh fun, a 2009 security issue being dug up from under the drawer? I guess we should apply that xmlhttprequest_3.x.diff to our kdelibs3 packages. That fix still is only partial, the important missing part is not allowing remote access (see bug in comment #8). For posterity, firefox currently allows local html file to XHR other local files in the same directory, or subdirectories, while webkit based browsers do not allow that (as current kdelibs). |