Scott & others, From: Scott Ferguson <[email protected]> Date: Wed, 08 Jun 2011 12:07:01 +1000 > I seem to remember a number of URL handling exploits that could cause a > problem (if they still exist).
All the admonitions about security have been hypothetical. Nobody has painted a convincing picture of a possible failure. > "file:///..." has been used in the past to view directories, and there > are other variations. It seems an unnecessary risk. A remote system uses a file URI to view details on my system? How? > Have you considered running a tiny webserver on your local machine > (monkey?) and serving the local file/s from that? I have Web servers. Yes, only allowing access to the file URIs from my LAN, would achieve the privacy you recommend. > Only if something follows the link and does something you haven't > thought of.... How can you determine such a thing is not possible? You describe the possibility of a file URI on my system which is an executeable and would do harm if executed. OK, I understand. My file URIs are html files. Strictly data. They can be interpreted to make images. None can execute. That's a crucial point in this discussion. A file containing data is innocuous. An executeable file URI could, possibly be a hazard. I would be self-inflicted sabotage. > At the very least the intruder would gain dangerous insights into your > OS, enabling them to find further exploits. But just knowing what files > you have on your system is a risk. My Links, including the file URIs, are public data. Bus schedules for example. The file URIs are images expressed in html which I want to publish. The Web is meant to allow publication! > I have a situation where I want a user to be able load > local files from a (local) webpage - and use javascript to modify local > files ... Your javascript is executeble isn't it? That's your more risky circumstance. > ... so please post your outcome. "http://members.shaw.ca/peasthope/#Links"; Thanks for the discussion, ... Peter E. -- Telephone 1 360 450 2132. bcc: peasthope at shaw.ca Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
