Re: Use Cases and Requirements for Saving Files Securely from Jonas Sicking on 2009-11-12 (public-webapps@w3.org from October to December 2009)

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 12 Nov 2009 01:40:33 -0800
To: Maciej Stachowiak <mjs@apple.com>
Cc: Eric Uhrhane <ericu@google.com>, Ian Hickson <ian@hixie.ch>, Doug Schepers <schepers@w3.org>, "public-webapps@w3.org" <public-webapps@w3.org>, public-device-apis@w3.org
Message-ID: <63df84f0911120140y7cb6a5cbrc9c4c3f097cfd3dd@mail.gmail.com>
On Wed, Nov 11, 2009 at 6:59 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>
> On Nov 11, 2009, at 3:51 PM, Eric Uhrhane wrote:
>
>> On Mon, Nov 9, 2009 at 4:21 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>>>
>>> On Nov 9, 2009, at 12:08 PM, Ian Hickson wrote:
>>>
>>>> On Mon, 2 Nov 2009, Doug Schepers wrote:
>>>>>
>>>>> Please send in use cases, requirements, concerns, and concrete
>>>>> suggestions about the general topic (regardless of your opinion about
>>>>> my
>>>>> suggestion).
>>>>
>>>> Some use cases:
>>>>
>>>> * Ability to manage attachments in Web-based mail clients, both
>>>> receiving
>>>>  and sending
>>>> * Ability to write a Web-based mail client that uses mbox files or the
>>>>  Maildir format locally
>>>> * Ability to write a Web-based photo management application that handles
>>>>  the user's photos on the user's computer
>>>> * Ability to expose audio files to native media players
>>>> * Ability to write a Web-based media player that indexes the user's
>>>> media
>>>
>>> These are good use cases.
>>>
>>>>
>>>> Basically these require:
>>>>
>>>> - A per-origin filesystem (ideally exposed as a directory on the user's
>>>>  actual filesystem)
>>>> - The ability to grant read and/or write privileges to a particular
>>>>  directory to an origin
>>>> - An API for files that supports reading and writing arbitrary ranges
>>>> - An API for directories that supports creating, renaming, moving, and
>>>>  enumerating child directories and files
>>>
>>> Can you explain how these requirements follow from the use cases? It
>>> seems
>>> to me the use cases you cited would be adequately covered by:
>>>
>>> - Existing facilities including <input type="file"> with multiple
>>> selection.
>>> - File read facilities as outlined in the File API spec.
>>> - Ability to create named writable files in a per-origin private use area
>>> (with no specific requirement that they be browsable by the user, or in
>>> hierarchical directories).
>>
>> I think that exposing audio files to native players would require the
>> ability to create directories in the native filesystem, thus making
>> them browsable.  Sure, you could just toss them in a single directory
>> without hierarchy, but that's not a great user experience, and it hits
>> serious performance problems with large audio collections.  The same
>> problems would affect the photo manager.
>
> With the native music player I'm most familiar with, iTunes, the user is not
> even really aware of where audio files are in the file system. It does use a
> directory hierarchy, but it's pretty rare for users to actually poke around
> in there. And the iPod application on iPhone (as well as the iPod itself) do
> not even have a user-visible filesystem hierarchy. So overall I don't buy
> hierarchical directories as a hard requirement to build a music player or to
> expose content to a music player.
>
> That being said, I think creating subdirectories in a per-origin private use
> area is probably less risky than user-granted privilege to manipulate
> directories elsewhere in the filesystem. But I would be inclined to avoid
> this mechanism at first, and if it is needed, start with the bare minimum.
> I'm not convinced by your argument that it is necessary.

I can think of two security concerns if a website is able to store
executable files with a proper .exe extension on windows:
1. It's happened several times in the past that exploits have made it
possible to run a executable stored on the users system. If a website
is able to first store an arbitrary executable and then execute it,
that's much worse than being able to run the executables that live on
the system already. In other words, being able to write a executable
to the users system can be a important first step in a two-step
attack.
This could be fixed by 'salting' all the directory names. I.e. make
the directory where the files are stored unguessable. We do this for
the profile directories in Firefox.
2. Having a untrusted executable stored on the users system is
somewhat scary. A user browsing around on his hard drive could easily
accidentally run such an executable. Especially since the executable
could contain a arbitrary icon, such as an icon similar some other
program. Imagine for example writing a file called "skype.exe" with a
skype icon being written. A user could very well accidentally find
this while searching for skype on his/her computer.

I think that if we were to implement something like this in firefox,
we would probably never write executable files. Instead we would
mangle their on-disk-name such that windows wouldn't recognize it as
executable. (on mac/linux I think never setting the 'executable' flag
would have the same effect). This could of course be hidden from the
API, such that the web page API still saw a file with a proper .exe
extension.

There's quite possibly other issues like this as well. Writing .doc
files with evil macros comes to mind.

/ Jonas
Received on Thursday, 12 November 2009 09:41:27 UTC