>> file:///dev/pty0 > However, the UNIX API has a very simple and *reliable* way around this: > stat(2) That's good enough to defend against hostile remote content - though as someone pointed out, it's arguably broken to obey file: URLs at all from anything but another file:. (Or when user-specified, of course.) However, using stat() still leaves you vulnerable to local races of the sort I'm sure we've all seen far more examples of than we'd like. I'm not even sure I'd want to disable device file:s, actually. To (probably mis-)quote someone or other, "UNIX does not prevent you from doing stupid things because that would also prevent you from doing clever things". /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouseat_private / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 10:11:52 PDT