On Sat, Jan 9, 2010 at 2:55 PM, Antoine Labour <pi...@google.com> wrote:
> I'm not sure I understand the security risk... If an attacker is able to > write files on my disk I have a lot more things to worry about than my > browser spoofing urls. > > Are you sure? The idea is the same as with $PATH attack. Sure, some systems don't even need "." in PATH to call programs from current dir by default, but it does make it good idea. > In any case you can always OpenURL(string("file://") + > urlencode(file_or_url)) instead of OpenLocalFile > > What will this change? There are sad but fundamental truth about POSIX filenames: ANY string without embedded NUL characters can be valid filename. There are some limitations (MAX_PATH, max number of slashes in some systems, etc), but they are minor.
-- Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev