File URIs; was Re (6): Capability of Iceweasel to open a local file.

To: debian-user@lists.debian.org
Cc: peasthope@shaw.ca
Subject: File URIs; was Re (6): Capability of Iceweasel to open a local file.
From: peasthope@shaw.ca
Date: Wed, 8 Jun 2011 08:11:34 -0800
Message-id: <[🔎] 171057032.33506.29205@cantor.invalid>
In-reply-to: <[🔎] 4DEED945.9030105@gmail.com>

Scott & others,

From:	Scott Ferguson <prettyfly.productions@gmail.com>
Date:	Wed, 08 Jun 2011 12:07:01 +1000
> I seem to remember a number of URL handling exploits that could cause a
> problem (if they still exist). 

All the admonitions about security have been hypothetical.
Nobody has painted a convincing picture of a possible failure.

> "file:///..." has been used in the past to view directories, and there
> are other variations.  It seems an unnecessary risk. 

A remote system uses a file URI to view details on my system?
How?

> Have you considered running a tiny webserver on your local machine 
> (monkey?) and serving the local file/s from that?

I have Web servers.  Yes, only allowing access to the file URIs 
from my LAN, would achieve the privacy you recommend.  

> Only if something follows the link and does something you haven't
> thought of.... How can you determine such a thing is not possible?

You describe the possibility of a file URI on my system which is 
an executeable and would do harm if executed.  OK, I understand.  
My file URIs are html files.  Strictly data.  They can be interpreted 
to make images.  None can execute.  That's a crucial point in this 
discussion.  A file containing data is innocuous.  An executeable file 
URI could, possibly be a hazard.  I would be self-inflicted sabotage.

> At the very least the intruder would gain dangerous insights into your
> OS, enabling them to find further exploits. But just knowing what files
> you have on your system is a risk.

My Links, including the file URIs, are public data.  Bus schedules 
for example.  The file URIs are images expressed in html which I 
want to publish.  The Web is meant to allow publication!

> I have a situation where I want a user to be able load
> local files from a (local) webpage - and use javascript to modify local
> files ...

Your javascript is executeble isn't it?  That's your more risky 
circumstance.

> ... so please post your outcome.

"http://members.shaw.ca/peasthope/#Links";

Thanks for the discussion,                     ... Peter E.

-- 
Telephone 1 360 450 2132.  bcc: peasthope at shaw.ca
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .

Reply to:

Follow-Ups:
- Re: File URIs; was Re (6): Capability of Iceweasel to open a local file.
  - From: Scott Ferguson <prettyfly.productions@gmail.com>

References:
- Re: Re (5): Capability of Iceweasel to open a local file.
  - From: Scott Ferguson <prettyfly.productions@gmail.com>

Prev by Date: Re: x-terminal-emulator does not appear to accept comand line args
Next by Date: Re: Synaptic options will not tick
Previous by thread: Re: Re (5): Capability of Iceweasel to open a local file.
Next by thread: Re: File URIs; was Re (6): Capability of Iceweasel to open a local file.
Index(es):
- Date
- Thread