Re: [Evolution] Security implications of WebKit migration

From: Dan Vratil <dvratil redhat com>
To: evolution-list gnome org
Subject: Re: [Evolution] Security implications of WebKit migration
Date: Thu, 20 Sep 2012 11:39:08 +0200

On Wednesday 22 of August 2012 08:27:05 Paul Menzel wrote:

Dear Evolution folks,


Hi,

sorry for not replying earlier, I didn't notice your question before.


finding two bug reports in the Debian BTS about not-existing security
support for WebKit releases, I am wondering if the WebKit migration of
Evolution will also suffer from that. It comes to my mind, that one of
Microsoft Outlookâs biggest security issues is (was(?)) due to bugs in
the HTML rendering engine.


WebKit provides some elementary security mechanisms - for example does not
allow loading content from different protocol or hostname. We are loading all
emails and their content via our own "mail://" "protocol", so WebKit will
block a request trying to load some content through "file://" for instance.

We have also JavaScript disabled, so malicious emails can't unveil their evil
powers.

The only unfortunate thing we haven't "fixed" yet are plugins. We have to have
plugins enabled in order to be able to inject GtkWidgets (like attachment bar)
into WebKit. This also means that Flash or Java content in enabled and that
they WILL be displayed and executed (assuming you have necessary plugins
installed) in the mail preview. We are aware of this and I have already
discussed with Milan a possible solution - writing our own "ad-block"
extension and force replace all <object> and <applet> tags by a placeholder.

Regarding internal WebKit security (exploits in images, executables binary
code in tag names etc), I must admit I don't know how well WebKit deals with
this. WebKit is massively deployed though, use by Google Chrome, Safari and
others so I would say that this would be handled well, but the linked bugs
indicate otherwise :(


Also I do not know how good the security support for GtkHTML is.


As said Andre, security support for GtkHTML is probably somewhere between
little and none.

Cheers,
Dan



Thanks,

Paul


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bugh2481
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bugd9625

--
dvratil redhat com | Associate Software Engineer / BaseOS / KDE, Qt
GPG Key: 0xC59D614F6F4AE348
Fingerprint: 4EC1 86E3 C54E 0B39 5FDD B5FB C59D 614F 6F4A E348

Attachment: signature.asc
Description: This is a digitally signed message part.

Follow-Ups:
- Re: [Evolution] Security implications of WebKit migration
  - From: Jose Dapena Paz

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]