Safety of Making "file" type INPUTs Settable
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
-
RealityRipple
- Astronaut
- Posts: 660
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
- Contact:
Safety of Making "file" type INPUTs Settable
Just about two years ago now, the WHATWG decided that "file" input boxes were okay to have their "files" attribute settable, most simply as a result of a drag-and-drop operation -- I'm assuming due to CORS strictness about what scripts can be loaded on what pages? Anyway, if it's safe now, any plans for Pale Moon to support it, too? Or are there still security issues to contend with on this front for PM?
Re: Safety of Making "file" type INPUTs Settable
It's not safe.
IIUC, malicious scripting can set the files attribute (a list of selected files) to a well-known path for an arbitrary number of entries, and then it's just a matter of tricking the user into confirming an upload to grab that arbitrary file as-if the user selected it.
IIUC, malicious scripting can set the files attribute (a list of selected files) to a well-known path for an arbitrary number of entries, and then it's just a matter of tricking the user into confirming an upload to grab that arbitrary file as-if the user selected it.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
RealityRipple
- Astronaut
- Posts: 660
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
- Contact:
Re: Safety of Making "file" type INPUTs Settable
Is there an exposed method for creating or manipulating FileList objects that isn't documented? If not, how would the first half of the script pull that off?Moonchild wrote: ↑2019-10-08, 16:49It's not safe.
IIUC, malicious scripting can set the files attribute (a list of selected files) to a well-known path for an arbitrary number of entries, and then it's just a matter of tricking the user into confirming an upload to grab that arbitrary file as-if the user selected it.