Bash won't let me do this:
$ mkdir https:
mkdir: cannot create directory `https:': No such file or directory
$ mkdir "https:"
mkdir: cannot create directory `https:': No such file or director
2010/1/9 Victor Khimenko <k...@google.com>
>
> On Sat, Jan 9, 2010 at 2:55 PM, Antoine Labour <pi...@google.com> wrote:
>
>> I'm not sure I understand the security risk... If an attacker is able to
>> write files on my disk I have a lot more things to worry about than my
>> browser spoofing urls.
>>
>> Are you sure? The idea is the same as with $PATH attack. Sure, some
> systems don't even need "." in PATH to call programs from current dir by
> default, but it does make it good idea.
>
>
>> In any case you can always OpenURL(string("file://") +
>> urlencode(file_or_url)) instead of OpenLocalFile
>>
>> What will this change? There are sad but fundamental truth about POSIX
> filenames: ANY string without embedded NUL characters can be valid filename.
> There are some limitations (MAX_PATH, max number of slashes in some systems,
> etc), but they are minor.
>
> --
> Chromium Developers mailing list: chromium-dev@googlegroups.com
> View archives, change email options, or unsubscribe:
> http://groups.google.com/group/chromium-dev
>
--
Pierre.
--
Chromium Developers mailing list: chromium-dev@googlegroups.com
View archives, change email options, or unsubscribe:
http://groups.google.com/group/chromium-dev
