Ishikawa <[EMAIL PROTECTED]> wrote:
> due to the problems mentioned,
> we should not forget that a famous browser client on
> Linux is similarly guilty.
>
> I tried the following URLs with
> my netscape browser under Linux.
>
> file:///dev/null
...
> file:///dev/zero
...
> file:///dev/pty0
A 'stat' of all of these files shows that they are not regular
files. There's no reason, them, to open them in the browser.
> If someone wants to be nasty, he/she can
> create a web page with
> URLs inside <IMG SRC="these device files" ....>
> listing DOS devices as well as these popular UNIX devices.
I question the wisdom of browsers which allow external web pages to
reference local files via 'file://' URLs.
> As someone mentioned, we can't predict what other
> device files may show up in the future by addition of
> new hardware drivers.
We also cannot predict where special files exist, either. Placing
the special file 'zero' in '/dev' is simply an administrative
convention on many Unix systems. Device files can exist anywhere.
> One may be tempted to block all the files below /dev inside
> the browser/servers.
> Could this be a cure for this problem under linux/UNIX?
No. The browsers should be using the 'fstat' function, prior to
opening any 'file://' URL. Regular files and directories should be
OK. Links should have their links de-referenced, and the linked-to
file 'fstat'ed also. Any other files should be ignored.
Alan DeKok.
