W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2017

Re: [whatwg] Accessing local files with JavaScript portably and securely

From: duanyao <duanyao@ustc.edu>
Date: Tue, 18 Apr 2017 20:03:07 +0800
To: Ashley Sheridan <ash@ashleysheridan.co.uk>, whatwg@lists.whatwg.org, Roger Hågensen <rh_whatwg@skuldwyrm.no>
Message-ID: <ada101c1-ef7f-1c9c-21c0-0ae616608f8d@ustc.edu>
在 2017年04月18日 19:27, Ashley Sheridan 写道:
>
> On 18 April 2017 12:18:57 BST, duanyao <duanyao@ustc.edu> wrote:
>> 在 2017年04月18日 18:52, Ashley Sheridan 写道:
>>>> Maybe no. "files" is a generic word, so if you make every
>> "xxx_files/"
>>>> folders magical, it's quite possible that there are folders happen
>> to
>>>> ends with "_files" but are not intented to be local web apps. If you
>>>> require a `xxx.html` to make "xxx_files/" magical, it is a little
>>>> awkward and confusing for muli-page app.
>>>>
>>>> This is why I propose a new (and unlikely already used) pattern
>>>> `xxx_webrun/` for more powerful muli-page app, and limit
>> `xxx_files/`
>>>> to
>>>> single page app.
>>>>
>>>> In single page app case, it would be more common that `test.html`
>> gets
>>>> `test_files\page{2|3}.html` via XHR and renders the latter in place,
>>>> instead of navigating to it.
>>>> So the latter don't need to access `test_files\config.json`
>> themselves.
>>> *any* magic behavior is a sure-fire sign that something is wrong(TM)
>> Maybe. But there are occasions where magic is unavoidable. E.g. how to
>> infer the MIME type of a file? filename extension? magic numbers? all
>> are magic.
>>
>> If the barrier is not high enough, name it `xxx__webrun__/`.
> But when you're talking about security, which we are, relying on magic anything is potentially disastrous.
>
> You mention mime types and file extensions, both of which are not safe to rely on for anything related to security, hence there being entire libraries and frameworks to attempt to determine and test a files real type (windows still fails abysmally in this area though).
Those libraries and frameworks *will* fail because it is entirely 
possible that a file is conformant to multiple formats simultaneously.
Also the methodology use by those libraries and frameworks is magic.

>
> Just relying on magic filenames *will* fail. Consider the scenario where a file is accidentally copied over the original entry html. Now it's associated with the wrong directory of assets and other 'linked' files. This new html entry point file could easily be an exploited file, looking to grab whatever data is being held locally on your machine.
Sure it is possible, but usually the damage is limited because the entry 
file can only access a limited folder `XXX_files`. By
accidentally overriding a html file, you already cause a data loss in 
the first place.
>>>
>>> Thanks,
>>> Ash
> Thanks,
> Ash
Received on Tuesday, 18 April 2017 12:04:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 18 April 2017 12:04:52 UTC