[pmwiki-users] how does one encode "file:" link in a wiki page?
Robin
robin at kallisti.net.nz
Wed Feb 2 09:54:56 CST 2005
On Wednesday 02 February 2005 06:22, Neil Herber wrote:
> This sounds like FUD to me. If the sole change is that the user can display
> local files locally, then what is the security hole?
It's not FUD (i.e. there is no Fear, Uncertainty or Doubt involved).
Basically, the lack (or at least the half-hearted attempt) at regulating
interaction between local stuff and remote stuff is where many many of IE's
security issues come from.
> If by turning off this "security check" what access does it give remote
> hosts or scripts to your system?
Remember that script that was in (I think) an html document on your local
machine, that was the help for something-or-other, and if you passed it
certain options it could delete local files? Allowing webpages to call URLs
like that is a Bad Thing. As I understand it, it's possible for file:// URLs
to do more with the system, as they are pretty much automatically trusted.
That means that a webpage could call a buggy one that was on your machine and
do bad things, or it could drop one in the cache, and load it with a file://
URL. (There are other protections on the cache, like random directory naming,
but 'defence in depth' is a very good principle.) Also, allowing file:// URLs
means that webpages can detect what you have installed on your system which
is a privacy violation, and a possible way of sorting out other attacks to
use. Trust me, there are definitely good reasons for it. It's pretty easy for
seemingly innocuous features to be abused.
--
Robin <robin at kallisti.net.nz> JabberID: <eythian at jabber.org>
Hostes alienigeni me abduxerunt. Qui annus est?
PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/pmwiki-users/attachments/20050203/7fe107d5/attachment.bin
More information about the pmwiki-users
mailing list