On Ma, 18 ian 22, 11:35:04, The Wanderer wrote: > > Looking at that example, I note that it starts with the variable name > "currentDirHandle". I think it's intended, although not explicitly > stated, that the directory path specified in that function call is > *relative*; that would let the API be used to create subdirectory trees > underneath the user-chosen directory, but not outside of there. > > So this could potentially be dangerous if the user chooses a directory > location that's high enough in the directory tree to have important > files already underneath it, but not if the user chooses e.g. a > dedicated Downloads directory. > > I can still envision scenarios in which this could be dangerous, but > unless there are ways to get access to a file-handle variable that don't > rely on something directly user-interactive (the ones described in that > page are file-picker dialogs and "drag and drop a file into (a specific > area of?) the browser window"), I don't think it can plausibly do so in > a way that's invisible to the user. This reminds me of https://arstechnica.com/gadgets/2021/07/separate-eop-flaws-let-hackers-gain-full-control-of-windows-and-linux-systems/ (the second part, with the Linux vulnerability) Letting some random site have access to local storage seems like a Very Bad Idea. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
Attachment:
signature.asc
Description: PGP signature