https://bugs.kde.org/show_bug.cgi?id=486285
Bug ID: 486285
Summary: Limit characters used in filenames and warn for others
and check for directory traversal
Classification: Frameworks and Libraries
Product: frameworks-kio
Version: 6.0.0
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: Open/save dialogs
Assignee: kio-bugs-n...@kde.org
Reporter: myusualnickn...@gmail.com
CC: kdelibs-b...@kde.org
Target Milestone: ---
I would like to warn users when certain characters are in a filename, or
certain filenames match reserved words (com in windows?) that it will break
compatibility.
Users have no reason to know that their filename choices can break stuff, so I
would ask that an option to block creation of files with certain characters, or
warn users when creating files with certain characters that it may limit
compatibility and suggest removing symbols.
This gets complicated when using unicode, so allow utf8 or utf16 may have to
be a thing, but warning when the path is too long may also be needed.
I would set warn for things like *$!?><| to be default for creating a file, but
then have a "don't warn me again" option in the dialog, but have that warning
be set to immutable by a higher priority config, and also make it so those
filenames can be blocked by policy.
I would also have another level of warning for non typeable and non printable
characters. a unicode filter may be needed as people need to save files in
their own language, and some of these bad characters may be escaped out to form
a valid character. So being able to show unicode control characters as ascii
might also be a slick option.
I would also consider having a warning when opening a file with a bad name, but
not sure on proper behavior.
I don't want a huge number of warnings to flood a computer when mounting a
volume with malicious names and control characters
It may be argued that it is not the job of kde to block ../../../../ but it
seems like it could cause problems. The handling of folders was wonderful, it
warned me that I could not create a file when I did
../../../../../../home/user/foo/bar/baz/file.txt but when I made those
directories it allowed the creation of the file.. it may be great behavior, but
I will be deploying KDE in harsh enviornments.
testing this in Kate on Suse tumbleweed, I just learned about vulnerabilities
in MySQL client because of directory traversal allowing loading of arbitrary
code.
and it might be nice to do something to stop it. or ask the user if they meant
to do it, I am guessing some applications may take an arbitrary string in and
save a file there, and it may not even use the saveas dialog.
This is a debatable thing because some power users might want to do it, but I'm
going to be deploying the system
--
You are receiving this mail because:
You are watching all bug changes.
