W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2013

Re: [whatwg] Zip archives as first-class citizens

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 28 Aug 2013 17:21:59 +0100
Message-ID: <CADnb78i7G+pvFKPbpJb9n+OvnTtyCA6jkWr32axtG3nudSrZXg@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: WHATWG <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>
On Wed, Aug 28, 2013 at 4:50 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote:
> 1) Both jar: and mhtml: (which work or worked in a very similar way)
> have caused problems in absence of strict Content-Type matching. In
> essence, it is relatively easy for something like a valid
> user-supplied text document or an image to be also a valid archive.
> Such archives may end up containing "files" that the owner of the
> website never intended to host in their origin.

This also seems like a problem for being able to navigate to a zip
archive's resources. E.g. if you have a hosting service for zip
archives someone could upload one with an HTML subresource that
executes some malicious script and trick users into navigating to
http://hosting.example/pinkpony%!look.html

I wonder if that is enough of a concern to not support navigating to
zip resources at all. Or is Gecko's jar support enough to not have to
care about this? (But we probably should do more than sniffing as you
point out.)


> 2) Both schemes also have a long history of breaking origin / host
> name parsing in various places in the browser and introducing security
> bugs.


-- 
http://annevankesteren.nl/
Received on Wednesday, 28 August 2013 16:22:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:23 UTC