[pmwiki-users] how does one encode "file:" link in a wiki page?

Robin robin at kallisti.net.nz
Wed Feb 2 09:54:56 CST 2005


On Wednesday 02 February 2005 06:22, Neil Herber wrote:
> This sounds like FUD to me. If the sole change is that the user can display
> local files locally, then what is the security hole?
It's not FUD (i.e. there is no Fear, Uncertainty or Doubt involved). 
Basically, the lack (or at least the half-hearted attempt) at regulating 
interaction between local stuff and remote stuff is where many many of IE's 
security issues come from. 

> If by turning off this "security check" what access does it give remote
> hosts or scripts to your system?
Remember that script that was in (I think) an html document on your local 
machine, that was the help for something-or-other, and if you passed it 
certain options it could delete local files? Allowing webpages to call URLs 
like that is a Bad Thing. As I understand it, it's possible for file:// URLs 
to do more with the system, as they are pretty much automatically trusted. 
That means that a webpage could call a buggy one that was on your machine and 
do bad things, or it could drop one in the cache, and load it with a file:// 
URL. (There are other protections on the cache, like random directory naming, 
but 'defence in depth' is a very good principle.) Also, allowing file:// URLs 
means that webpages can detect what you have installed on your system which 
is a privacy violation, and a possible way of sorting out other attacks to 
use. Trust me, there are definitely good reasons for it. It's pretty easy for 
seemingly innocuous features to be abused. 

-- 
Robin <robin at kallisti.net.nz>             JabberID: <eythian at jabber.org>

Hostes alienigeni me abduxerunt. Qui annus est?

PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8  7175 14D3 6485 A99C EB6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/pmwiki-users/attachments/20050203/7fe107d5/attachment.bin 


More information about the pmwiki-users mailing list