Ishikawa <ishikawaat_private> wrote: > due to the problems mentioned, > we should not forget that a famous browser client on > Linux is similarly guilty. > > I tried the following URLs with > my netscape browser under Linux. > > file:///dev/null ... > file:///dev/zero ... > file:///dev/pty0 A 'stat' of all of these files shows that they are not regular files. There's no reason, them, to open them in the browser. > If someone wants to be nasty, he/she can > create a web page with > URLs inside <IMG SRC="these device files" ....> > listing DOS devices as well as these popular UNIX devices. I question the wisdom of browsers which allow external web pages to reference local files via 'file://' URLs. > As someone mentioned, we can't predict what other > device files may show up in the future by addition of > new hardware drivers. We also cannot predict where special files exist, either. Placing the special file 'zero' in '/dev' is simply an administrative convention on many Unix systems. Device files can exist anywhere. > One may be tempted to block all the files below /dev inside > the browser/servers. > Could this be a cure for this problem under linux/UNIX? No. The browsers should be using the 'fstat' function, prior to opening any 'file://' URL. Regular files and directories should be OK. Links should have their links de-referenced, and the linked-to file 'fstat'ed also. Any other files should be ignored. Alan DeKok.
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 10:33:23 PDT