Multiple issues were reported as part of oCERT-2009-015: http://www.ocert.org/advisories/ocert-2009-015.html This bug is for tracking a problem in XMLHttpRequest. Implementation of this feature in kdeblibs / khtml did not restrict protocol types that can be used with XMLHttpRequest, allowing malicious JavaScript to access local disk files using file:// URL type. This problem only occurred when malicious file was opened in null domain, i.e. when opened from disk or Ark's preview mentioned in the oCERT advisory. Same origin policy blocks exploitation of this problem when malicious html file is opened from a remote host. Upstream fix, restricting list of URL types allowed for XMLHttpRequest to http(s) and webdav: http://websvn.kde.org/?view=revision&revision=1035539 3.x backport: http://www.davidfaure.fr/2009/xmlhttprequest_3.x.diff
Note: This fix does not seem to mitigate all risks of malicious JavaScript in local files, as access to arbitrary remote URLs still seems to be allowed.
I'll prepare and commit patches for Fedora, as a start.
Upstream bug report to track the issue mentioned in comment #1: https://bugs.kde.org/show_bug.cgi?id=235468
Oh fun, a 2009 security issue being dug up from under the drawer? I guess we should apply that xmlhttprequest_3.x.diff to our kdelibs3 packages.
That fix still is only partial, the important missing part is not allowing remote access (see bug in comment #8). For posterity, firefox currently allows local html file to XHR other local files in the same directory, or subdirectories, while webkit based browsers do not allow that (as current kdelibs).