File URIs; was Re (6): Capability of Iceweasel to open a local file.
Scott & others,
From: Scott Ferguson <prettyfly.productions@gmail.com>
Date: Wed, 08 Jun 2011 12:07:01 +1000
> I seem to remember a number of URL handling exploits that could cause a
> problem (if they still exist).
All the admonitions about security have been hypothetical.
Nobody has painted a convincing picture of a possible failure.
> "file:///..." has been used in the past to view directories, and there
> are other variations. It seems an unnecessary risk.
A remote system uses a file URI to view details on my system?
How?
> Have you considered running a tiny webserver on your local machine
> (monkey?) and serving the local file/s from that?
I have Web servers. Yes, only allowing access to the file URIs
from my LAN, would achieve the privacy you recommend.
> Only if something follows the link and does something you haven't
> thought of.... How can you determine such a thing is not possible?
You describe the possibility of a file URI on my system which is
an executeable and would do harm if executed. OK, I understand.
My file URIs are html files. Strictly data. They can be interpreted
to make images. None can execute. That's a crucial point in this
discussion. A file containing data is innocuous. An executeable file
URI could, possibly be a hazard. I would be self-inflicted sabotage.
> At the very least the intruder would gain dangerous insights into your
> OS, enabling them to find further exploits. But just knowing what files
> you have on your system is a risk.
My Links, including the file URIs, are public data. Bus schedules
for example. The file URIs are images expressed in html which I
want to publish. The Web is meant to allow publication!
> I have a situation where I want a user to be able load
> local files from a (local) webpage - and use javascript to modify local
> files ...
Your javascript is executeble isn't it? That's your more risky
circumstance.
> ... so please post your outcome.
"http://members.shaw.ca/peasthope/#Links"
Thanks for the discussion, ... Peter E.
--
Telephone 1 360 450 2132. bcc: peasthope at shaw.ca
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .
Reply to: