Re (5): Capability of Iceweasel to open a local file.

[peasthope@shaw.ca]

Hello Axel,

From:	Axel Freyn <axel-freyn@gmx.de>
Date:	Tue, 07 Jun 2011 10:40:22 +0200
> I have no webserver at hand, so I haven't tested ...

But you don't need a server.  You only need to find a link, on any 
server anywhere, which targets a file URI.  Then duplicate the file 
in your own system.  Use a link on my server if you want to try a test.

> The serious security flaw which I see here is the following: This
> allows all remote site which you're looking at to use "file:///" in
> order to acces your local files. That's true also for javascript. 

But the remote site does nothing more serious than provide a file URI.
The file can't even execute unless it's executeable.  For something bad to 
occur the user would have to prearrange a dangerous executeable.  Then 
find and click a link targeting that executeable.  Could all this happen 
by accident?  More likely for a blundering user to "cd ~; rm -r *"?

> So, as
> soon as you set "security.checkloaduri=true", a website you're visiting
> could copy all files from your local disk which you're allowed to read
> (so /etc/shadow would be inaccessible (except you run iceweasel as root
> :-)), but all files in /home/user kann be copied).

Only if the local user clicks on the link and the target does the malicious 
deed.  Why would such a dangerous target executeable be lying around?

> Do you know how that problem is solved in Native Oberon?

The browser, Desktops.OpenDoc, is elementary.  Off hand I can't imagine 
it doing anything significant.  A2 might have a risk.  I don't know A2 
well enough to answer for it.

Regards,               ... Peter E.




-- 
Telephone 1 360 450 2132.  bcc: peasthope at shaw.ca
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .