> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, July 18, 2001 12:10
> To: [EMAIL PROTECTED]
> Subject: Re: Linux, too, sot of (Windows MS-DOS Device Name DoS
> vulnerabilities)
>
> Ishikawa <[EMAIL PROTECTED]> wrote:
> > due to the problems mentioned,
> > we should not forget that a famous browser client on
> > Linux is similarly guilty.
> >
> > I tried the following URLs with
> > my netscape browser under Linux.
> >
> > file:///dev/null
> ...
> > file:///dev/zero
> ...
> > file:///dev/pty0
>
> A 'stat' of all of these files shows that they are not regular
> files. There's no reason, them, to open them in the browser.
>
> > If someone wants to be nasty, he/she can
> > create a web page with
> > URLs inside <IMG SRC="these device files" ....>
> > listing DOS devices as well as these popular UNIX devices.
>
> I question the wisdom of browsers which allow external web pages to
> reference local files via 'file://' URLs.
>
I agree; that's really the underlying problem. Checking for special
files is a band-aid fix that also limits flexibility.
References to 'local' URLs (file: and otherwise) from 'non-local'
documents should at least produce a confirmation dialog. Beyond that,
configurable policy facilities like those starting to show up in browsers
for cookies etc. would be nice.
> > As someone mentioned, we can't predict what other
> > device files may show up in the future by addition of
> > new hardware drivers.
>
> We also cannot predict where special files exist, either. Placing
> the special file 'zero' in '/dev' is simply an administrative
> convention on many Unix systems. Device files can exist anywhere.
>
On some kernels (HURD, or Linux/*BSD with userfs), normal files can
be equally "magic".
As a genral principle, regardless of platform, local paths may
encompass more than just 'dumb' files, so following 'remote' references to
them should be restricted.
