[Bug 1022690] [NEW] kmail/kontact message viewer incorrectly defaults to having JavaScript, Java, and Plugins enabled

[Scott Kitterman]

*** This bug is a security vulnerability ***

Public security bug reported:

Upstream has somewhat cryptically suggested applying the upstream patch
in
http://commits.kde.org/kdepim/dbb2f72f4745e00f53031965a9c10b2d6862bd54
as a security fix.  No CVE AFAIK.

It appears to apply to kdepim 4.7 (oneiric), 4.8 (precise), and to be
4.9 (quantal).

diff --git a/messageviewer/htmlquotecolorer.cpp 
b/messageviewer/htmlquotecolorer.cpp
index b54e989..67c3062 100644
--- a/messageviewer/htmlquotecolorer.cpp
+++ b/messageviewer/htmlquotecolorer.cpp
@@ -40,6 +40,10 @@ QString HTMLQuoteColorer::process( const QString 
&htmlSource )
 #ifndef KDEPIM_NO_WEBKIT
   // Create a DOM Document from the HTML source
   QWebPage page(0);
+  page.settings()->setAttribute( QWebSettings::JavascriptEnabled, false );
+  page.settings()->setAttribute( QWebSettings::JavaEnabled, false );
+  page.settings()->setAttribute( QWebSettings::PluginsEnabled, false );
+
   QWebFrame *frame = page.mainFrame();
   frame->setHtml( htmlSource );

** Affects: kdepim (Ubuntu)
     Importance: Undecided
         Status: New

** This bug has been flagged as a security vulnerability

-- 
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kdepim in Ubuntu.
https://bugs.launchpad.net/bugs/1022690

Title:
  kmail/kontact message viewer incorrectly defaults to having
  JavaScript, Java, and Plugins enabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1022690/+subscriptions