Ishikawa <ishikawaat_private> writes: > One may be tempted to block all the files below /dev inside > the browser/servers. If I ask my currently running web browser to open file:/proc/self/fd/3, it gets /dev/zero, and starts burning CPU and disc (until it runs out). There's some pipes in there too, which presumably have internal significance to the executing program; if I'd started it from a terminal there'd be some FDs onto that. I'm sure there are all sorts of possibilities for disruption. Special files outside /dev constitute as much of a risk as the contents of /dev. > Could this be a cure for this problem under linux/UNIX? > (Yes, I know we can have devices under different places. > But I am not sure if the devices under non-stanard places > can be used for DoS attacks in the browser context > I mentioned above.) A better answer might be to stat the file, and reject it if it not a regular file. Another approach would be to forbid inlining "file:" URLs from external pages, as described at http://bugzilla.mozilla.org/show_bug.cgi?id=91316 ttfn/rjk
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 09:12:18 PDT