Safety of Making "file" type INPUTs Settable

Suggestions and feature requests for the Pale Moon browser

Moderator: satrow

User avatar
RealityRipple
Moonbather
Moonbather
Posts: 50
Joined: 2018-05-17, 02:34
Contact:

Safety of Making "file" type INPUTs Settable

Unread post by RealityRipple » 2019-10-08, 15:53

Just about two years ago now, the WHATWG decided that "file" input boxes were okay to have their "files" attribute settable, most simply as a result of a drag-and-drop operation -- I'm assuming due to CORS strictness about what scripts can be loaded on what pages? Anyway, if it's safe now, any plans for Pale Moon to support it, too? Or are there still security issues to contend with on this front for PM?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24874
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Safety of Making "file" type INPUTs Settable

Unread post by Moonchild » 2019-10-08, 16:49

It's not safe.
IIUC, malicious scripting can set the files attribute (a list of selected files) to a well-known path for an arbitrary number of entries, and then it's just a matter of tricking the user into confirming an upload to grab that arbitrary file as-if the user selected it.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
RealityRipple
Moonbather
Moonbather
Posts: 50
Joined: 2018-05-17, 02:34
Contact:

Re: Safety of Making "file" type INPUTs Settable

Unread post by RealityRipple » 2019-10-08, 17:23

Moonchild wrote:
2019-10-08, 16:49
It's not safe.
IIUC, malicious scripting can set the files attribute (a list of selected files) to a well-known path for an arbitrary number of entries, and then it's just a matter of tricking the user into confirming an upload to grab that arbitrary file as-if the user selected it.
Is there an exposed method for creating or manipulating FileList objects that isn't documented? If not, how would the first half of the script pull that off?

Post Reply