https://bugs.kde.org/show_bug.cgi?id=398140
Bug ID: 398140
Summary: Thumbnail generation causes execution of web page.
Product: kio-extras
Version: unspecified
Platform: Neon Packages
OS: Linux
Status: UNCONFIRMED
Severity: major
Priority: NOR
Component: Thumbnails and previews
Assignee: plasma-b...@kde.org
Reporter: bugs.kde....@boonhead.nl
Target Milestone: ---
Premise:
As I'm changing the icon of my Application Menu in KDE, I opened the "Select
Icon" dialog, I chose "Other icons", and "Browse". I get the Dolphin version of
the "common open file dialog".
This dialog opens my home folder. In my home folder I have a sub-directory.
This sub-directory contains a HTML file. The HTML file contains only a
`<video>` tag with attribute `autoplay="true" loop="true" src="[..]`. (In my
case `<video id="vidBanner" class="banner" autoplay="true" loop="true"
src="https://static1.squarespace.com/static/5b5f03d47c93279793af2d46/t/5b86591bb8a045dcb8664a1c/1535531301739/short+commercial.mp4";></video>`)
Problem:
Dolphin's "common open file dialog" starts playing the video. I was baffled as
sound was playing and I had no idea where it was coming from. I thought I was
hacked or something.
If I remove the HTML file containing the `<video>`-tag, all behaves normal
again.
The processes involved: thumbnail.so -> QtWebEngineProcess.
If video is being executed within the web page, I wonder what more can be
executed.. and possibly exploited..
I have filed this bug as 'major' because I don't know how severe this issue
actually is.. feel free to scale the severity down.
I'm using most recent version of KDE Neon 5.12.6, Frameworks 5.49.0, Qt 5.11.1.
--
You are receiving this mail because:
You are watching all bug changes.
