Bash won't let me do this: $ mkdir https: mkdir: cannot create directory `https:': No such file or directory
$ mkdir "https:" mkdir: cannot create directory `https:': No such file or director 2010/1/9 Victor Khimenko <k...@google.com> > > On Sat, Jan 9, 2010 at 2:55 PM, Antoine Labour <pi...@google.com> wrote: > >> I'm not sure I understand the security risk... If an attacker is able to >> write files on my disk I have a lot more things to worry about than my >> browser spoofing urls. >> >> Are you sure? The idea is the same as with $PATH attack. Sure, some > systems don't even need "." in PATH to call programs from current dir by > default, but it does make it good idea. > > >> In any case you can always OpenURL(string("file://") + >> urlencode(file_or_url)) instead of OpenLocalFile >> >> What will this change? There are sad but fundamental truth about POSIX > filenames: ANY string without embedded NUL characters can be valid filename. > There are some limitations (MAX_PATH, max number of slashes in some systems, > etc), but they are minor. > > -- > Chromium Developers mailing list: chromium-dev@googlegroups.com > View archives, change email options, or unsubscribe: > http://groups.google.com/group/chromium-dev > -- Pierre.
-- Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev