Safety of Making "file" type INPUTs Settable

Suggestions and feature requests for the Pale Moon browser
Post Reply
User avatar
RealityRipple
Moonbather
Moonbather
Posts: 50
Joined: 2018-05-17, 02:34
Contact:

Safety of Making "file" type INPUTs Settable

Post by RealityRipple » 2019-10-08, 15:53

Just about two years ago now, the WHATWG decided that "file" input boxes were okay to have their "files" attribute settable, most simply as a result of a drag-and-drop operation -- I'm assuming due to CORS strictness about what scripts can be loaded on what pages? Anyway, if it's safe now, any plans for Pale Moon to support it, too? Or are there still security issues to contend with on this front for PM?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25761
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Safety of Making "file" type INPUTs Settable

Post by Moonchild » 2019-10-08, 16:49

It's not safe.
IIUC, malicious scripting can set the files attribute (a list of selected files) to a well-known path for an arbitrary number of entries, and then it's just a matter of tricking the user into confirming an upload to grab that arbitrary file as-if the user selected it.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
RealityRipple
Moonbather
Moonbather
Posts: 50
Joined: 2018-05-17, 02:34
Contact:

Re: Safety of Making "file" type INPUTs Settable

Post by RealityRipple » 2019-10-08, 17:23

Moonchild wrote:
2019-10-08, 16:49
It's not safe.
IIUC, malicious scripting can set the files attribute (a list of selected files) to a well-known path for an arbitrary number of entries, and then it's just a matter of tricking the user into confirming an upload to grab that arbitrary file as-if the user selected it.
Is there an exposed method for creating or manipulating FileList objects that isn't documented? If not, how would the first half of the script pull that off?

Post Reply