-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/25/2014 03:15 PM, Ralph Giles wrote: > On 2014-04-25 11:47 AM, Mike Hoye wrote: > >> Because people download executable files with the expectation >> that they can easily execute them. > > I ask because allowing web content to add executable files has > security risks. URLs don't have unix permissions, but I see on > Windows anything with a .exe extension ends up executable through > the current download manager, so any difference would be down to > how much control the page has over file location.
AIUI, Windows makes no distinction between "readable" and "executable" in file permissions. Files are executable if their extension is recognized, and not otherwise. In fact, the download manager doesn't ever make files executable in Unixy terms, and I'm not sure I would want it to. Perhaps that bit can be removed. (OS.File still needs to use 0777 instead of 0666 when asked to do this to a *directory*, but that is a separate issue. That too may never come up in practice; for instance, I think that if you click the 'create new directory' button in the 'save file as' dialog box, it is actually the OS's file-picker implementation that calls mkdir() and we never get a chance to opine what its permissions should be...) zw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCAAGBQJTWrblAAoJEJH8wytnaapkOmkP/AqAt938Yojt4OWJBIah5Msn GRYwER/pj2nIOMOYyiknZ/BYxoHIiP2AZo3KjzkvydlNJwXnD5l4vvlUmAQMTdUM /+ODcFTY/kWAMIHiedAgUK0GheqDtee6iohVTv8hVUCRJqjlnWJ0IO2GEaLh0KJ8 1eqqfeZhiPefTJnIZGKCtO7wC9NssS6ltJoP4O8vNJ4WKWhsCT4YO9q0OxDL/Fud JiSOqruxUhJ86CeAlI9ExHGVArScZzr6kQwbmuoVF5rG1MNNLVFmbXG9JbR+Gryy vbHDAKeHrGusGOC3kitELC7o1iAC72D6iO77AcCuKHygNTy3z4uqt3JOukhvi8Wk TFXNHu0CJBkg7JUa3PvkOCRd2rFf7/ZGJB7SlhrAz1mWWkX2pejnqfju+99FSnT2 ZtYRj5XJ7OyoEQA501Sl7IB8lnHMf8IyGn3e6ISai8niNWtP2/Hq7cF0r7Z1r5Hk 4c2zrM++m2X0YArmH4/qUUkTGttzTgBQsSZbOGzChskWqJ46HOv0rYZsuRp8m/eP Y78bRoGi/1N6LN9Qz0OwvdLCOV1kspZXOlhOFyDTk+sPzencxy4pTw55+Xf6T9QJ VCu1y+cQ7KgMEfYyCyVqEkzxjwyrdn1VeiJ5011yBACU47QI0l9MF7UVYqSnhYmW 7vq5PFB5XVMlwsNntPNU =h5uA -----END PGP SIGNATURE----- _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
