Hello Axel, From: Axel Freyn <axel-fr...@gmx.de> Date: Tue, 07 Jun 2011 10:40:22 +0200 > I have no webserver at hand, so I haven't tested ...
But you don't need a server. You only need to find a link, on any server anywhere, which targets a file URI. Then duplicate the file in your own system. Use a link on my server if you want to try a test. > The serious security flaw which I see here is the following: This > allows all remote site which you're looking at to use "file:///" in > order to acces your local files. That's true also for javascript. But the remote site does nothing more serious than provide a file URI. The file can't even execute unless it's executeable. For something bad to occur the user would have to prearrange a dangerous executeable. Then find and click a link targeting that executeable. Could all this happen by accident? More likely for a blundering user to "cd ~; rm -r *"? > So, as > soon as you set "security.checkloaduri=true", a website you're visiting > could copy all files from your local disk which you're allowed to read > (so /etc/shadow would be inaccessible (except you run iceweasel as root > :-)), but all files in /home/user kann be copied). Only if the local user clicks on the link and the target does the malicious deed. Why would such a dangerous target executeable be lying around? > Do you know how that problem is solved in Native Oberon? The browser, Desktops.OpenDoc, is elementary. Off hand I can't imagine it doing anything significant. A2 might have a risk. I don't know A2 well enough to answer for it. Regards, ... Peter E. -- Telephone 1 360 450 2132. bcc: peasthope at shaw.ca Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/171057031.62301.47932@cantor.invalid
