FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 06-07-2011, 12:39 AM
 
Default Re (5): Capability of Iceweasel to open a local file.

From: Ron Johnson <ron.l.johnson@cox.net>
Date: Mon, 06 Jun 2011 17:37:25 -0500
> Could it be that Native Oberon works differently than Linux + FF do?

Yes, my examples show a difference. NO opens the file URI. Iceweasel does not.

> Nope. Just your understanding.

Quite possible. If someone can point out the error in my file URI,
that will really help. If someone can tell me how to fix it, so
much the better.

Thanks, ... Peter E.


--
Telephone 1 360 450 2132. bcc: peasthope at shaw.ca
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 171057030.68074.45383@heaviside.invalid">http://lists.debian.org/171057030.68074.45383@heaviside.invalid
 
Old 06-07-2011, 02:52 AM
Carl Fink
 
Default Re (5): Capability of Iceweasel to open a local file.

On Mon, Jun 06, 2011 at 04:39:42PM -0800, peasthope@shaw.ca wrote:
> From: Ron Johnson <ron.l.johnson@cox.net>
> Date: Mon, 06 Jun 2011 17:37:25 -0500

> Quite possible. If someone can point out the error in my file URI,
> that will really help. If someone can tell me how to fix it, so
> much the better.

"file" is a *protocol*. It means to use the OS's direct access to files.
"http" is a protocol. It says to connect over the network using the
Hypertext Transfer Protocol and request the file. You want Firefox to use
the "file" protocol even if the URL says to use the "http" protocol. That
would be broken behavior, and if your mysterious "Oberon" is doing that it's
broken.
--
Carl Fink nitpicking@nitpicking.com

Read my blog at blog.nitpicking.com. Reviews! Observations!
Stupid mistakes you can correct!


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110607025243.GA26641@panix.com">http://lists.debian.org/20110607025243.GA26641@panix.com
 
Old 06-07-2011, 10:33 PM
 
Default Re (5): Capability of Iceweasel to open a local file.

From: Liam O'Toole <liam.p.otoole@gmail.com>
Date: Tue, 07 Jun 2011 09:09:58 +0000 (UTC)
> ... lynx opens the file ...

Thanks. I didn't try lynx.

> ... issue of iceweasel opening file:// links from http:// documents.

Suppose you have the valid file Category2.html in your home directory.
Using File > Open File, Iceweasel interprets Category2.html and
displays "file:///home/<user>/Category2.html" in the URI bar. By
default, a user is allowed to open his/her own files.

If you type this into the URI bar,
"file:///home/<user>/Category2.html"<Enter>
Iceweasel opens the file as in the previous case.

Suppose "file:///home/<user>/Category2.html" exists in any selectable
text. Select that file URI, copy to the clipboard and paste into the
Iceweasel URI bar. Then hit <Enter>. Again Iceweasel opens the file.

Now suppose that you see a link anchor "Click here" in a page
displayed by Iceweasel and the target of the link is
"file:///home/<user>/Category2.html". If the mouse pointer is on
the anchor, Iceweasel displays that file URI at the bottom of the
window but a click produces nothing.

> That is disabled by default for security reasons, ...

The only important difference from the preceeding cases is that the
user might not focus attention on the target. Iceweasel is protecting
a user from careless clicking. Similar to not allowing a click or
double click on the icon of a program in a GUI to cause the program
to begin execution. But GUIs became popular for such capabilities!

> ... can be enabled by toggling the value of the "security.checkloaduri"
> configuration preference. Go to the special URL "about:config" to change
> it if you wish.

Thanks. A non-obvious setting if ever there was one. How might John
Doe OrdinaryUser discover the existence and effect of this parameter?

Here "Value" can be unchecked but it doesn't stick. The file URI still
won't open and if about:config is opened again, security.checkloaduri is
back to the original state with Status, Type and Value all checked.
Something is different in your system.

Yikes! The default setting is obviously well estabished with zero or
less chance of being changed. Thanks for explaining.

Regards, ... Peter E.




--
Telephone 1 360 450 2132. bcc: peasthope at shaw.ca
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 171057031.59466.47931@cantor.invalid">http://lists.debian.org/171057031.59466.47931@cantor.invalid
 
Old 06-07-2011, 11:13 PM
 
Default Re (5): Capability of Iceweasel to open a local file.

Hello Axel,

From: Axel Freyn <axel-freyn@gmx.de>
Date: Tue, 07 Jun 2011 10:40:22 +0200
> I have no webserver at hand, so I haven't tested ...

But you don't need a server. You only need to find a link, on any
server anywhere, which targets a file URI. Then duplicate the file
in your own system. Use a link on my server if you want to try a test.

> The serious security flaw which I see here is the following: This
> allows all remote site which you're looking at to use "file:///" in
> order to acces your local files. That's true also for javascript.

But the remote site does nothing more serious than provide a file URI.
The file can't even execute unless it's executeable. For something bad to
occur the user would have to prearrange a dangerous executeable. Then
find and click a link targeting that executeable. Could all this happen
by accident? More likely for a blundering user to "cd ~; rm -r *"?

> So, as
> soon as you set "security.checkloaduri=true", a website you're visiting
> could copy all files from your local disk which you're allowed to read
> (so /etc/shadow would be inaccessible (except you run iceweasel as root
> :-)), but all files in /home/user kann be copied).

Only if the local user clicks on the link and the target does the malicious
deed. Why would such a dangerous target executeable be lying around?

> Do you know how that problem is solved in Native Oberon?

The browser, Desktops.OpenDoc, is elementary. Off hand I can't imagine
it doing anything significant. A2 might have a risk. I don't know A2
well enough to answer for it.

Regards, ... Peter E.




--
Telephone 1 360 450 2132. bcc: peasthope at shaw.ca
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 171057031.62301.47932@cantor.invalid">http://lists.debian.org/171057031.62301.47932@cantor.invalid
 
Old 06-08-2011, 02:07 AM
Scott Ferguson
 
Default Re (5): Capability of Iceweasel to open a local file.

On 08/06/11 09:13, peasthope@shaw.ca wrote:
> Hello Axel,
>
> From: Axel Freyn <axel-freyn@gmx.de>
> Date: Tue, 07 Jun 2011 10:40:22 +0200
>> I have no webserver at hand, so I haven't tested ...
>
> But you don't need a server. You only need to find a link, on any
> server anywhere, which targets a file URI. Then duplicate the file
> in your own system. Use a link on my server if you want to try a test.
>
>> The serious security flaw which I see here is the following: This
>> allows all remote site which you're looking at to use "file:///" in
>> order to acces your local files. That's true also for javascript.
>
> But the remote site does nothing more serious than provide a file URI.
> The file can't even execute unless it's executeable. For something bad to
> occur the user would have to prearrange a dangerous executeable. Then
> find and click a link targeting that executeable. Could all this happen
> by accident? More likely for a blundering user to "cd ~; rm -r *"?

I seem to remember a number of URL handling exploits that could cause a
problem (if they still exist). I definitely remember that as being the
reason for closing that capability! :-(

"file:///..." has been used in the past to view directories, and there
are other variations.
It seems an unnecessary risk. Have you considered running a tiny
webserver on your local machine (monkey?) and serving the local file/s
from that?

>
>> So, as
>> soon as you set "security.checkloaduri=true", a website you're visiting
>> could copy all files from your local disk which you're allowed to read
>> (so /etc/shadow would be inaccessible (except you run iceweasel as root
>> :-)), but all files in /home/user kann be copied).
>
> Only if the local user clicks on the link and the target does the malicious
> deed. Why would such a dangerous target executeable be lying around?

Only if something follows the link and does something you haven't
thought of.... How can you determine such a thing is not possible?

At the very least the intruder would gain dangerous insights into your
OS, enabling them to find further exploits. But just knowing what files
you have on your system is a risk.

Decided it's best I don't post a working example of why not to do it.
Tempting though... :-D
<snipped>

Interesting. I have a situation where I want a user to be able load
local files from a (local) webpage - and use javascript to modify local
files - so please post your outcome.

Cheers

--
Tuttle? His name's Buttle.
There must be some mistake.
Mistake? [Chuckles]
We don't make mistakes.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DEED945.9030105@gmail.com">http://lists.debian.org/4DEED945.9030105@gmail.com
 

Thread Tools




All times are GMT. The time now is 09:18 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org