Page 1 of 1

Safety of Making "file" type INPUTs Settable

Posted: 2019-10-08, 15:53
by RealityRipple
Just about two years ago now, the WHATWG decided that "file" input boxes were okay to have their "files" attribute settable, most simply as a result of a drag-and-drop operation -- I'm assuming due to CORS strictness about what scripts can be loaded on what pages? Anyway, if it's safe now, any plans for Pale Moon to support it, too? Or are there still security issues to contend with on this front for PM?

Re: Safety of Making "file" type INPUTs Settable

Posted: 2019-10-08, 16:49
by Moonchild
It's not safe.
IIUC, malicious scripting can set the files attribute (a list of selected files) to a well-known path for an arbitrary number of entries, and then it's just a matter of tricking the user into confirming an upload to grab that arbitrary file as-if the user selected it.

Re: Safety of Making "file" type INPUTs Settable

Posted: 2019-10-08, 17:23
by RealityRipple
Moonchild wrote:
2019-10-08, 16:49
It's not safe.
IIUC, malicious scripting can set the files attribute (a list of selected files) to a well-known path for an arbitrary number of entries, and then it's just a matter of tricking the user into confirming an upload to grab that arbitrary file as-if the user selected it.
Is there an exposed method for creating or manipulating FileList objects that isn't documented? If not, how would the first half of the script pull that off?