While we can bash MS-Windows due to the problems mentioned, we should not forget that a famous browser client on Linux is similarly guilty. I tried the following URLs with my netscape browser under Linux. file:///dev/null returns immediately saying there is no data. Good. file:///dev/zero doesn't crash the browser nor OS, but it sucks CPU time nevertheless since it tries to read the data forever until I pushed the stop button. The next is a showstopper. The problem URL that caused the hung of browser, at least, on my PC is the following. file:///dev/pty0 This locked my netscape navigator solid. I had to kill it using kill command from another xterm window. X didn't get hung, etc.. Since trying other devices may cause more severe problems I stopped testing here. So, at least the netscape navigator client seems to have similar problems discussed, and I have no idea if there is a clear-cut cure for this. (My guess is that any OS that makes devices available as part of filesystem have some problems in this regard if the devices in questins are accessible by the user/web account.) If someone wants to be nasty, he/she can create a web page with URLs inside <IMG SRC="these device files" ....> listing DOS devices as well as these popular UNIX devices. As someone mentioned, we can't predict what other device files may show up in the future by addition of new hardware drivers. One may be tempted to block all the files below /dev inside the browser/servers. Could this be a cure for this problem under linux/UNIX? (Yes, I know we can have devices under different places. But I am not sure if the devices under non-stanard places can be used for DoS attacks in the browser context I mentioned above.) Linux version. Linux duron 2.4.6 #27 Wed Jul 11 05:08:01 JST 2001 i686 unknown Netscape is 4.77.
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 08:23:44 PDT