On Wed, Jan 13, 2010 at 8:36 AM, Evan Martin <ev...@google.com> wrote:
> Since the proposed vulnerability is that I have cd'ed into a specially > crafted malicious directory then type out "google-chrome > some-particular-url", at which point I will end up at a file:// URL > under the attacker's control, I am skeptical we should worry about > this. > > 1) 99% of users don't have attackers writing arbitrary files to their > disk (most users don't have shared disk environments) > 2) 99% of users don't launch URLs from the command line > 3) the attacker can't do much (how can a file url attack you? phishing?) > Steal all your local files and send them off to some website. I recently made this a tiny bit harder (restrict directory listings). I'll do something much stronger sometime soon. Cheers Chris > > On Wed, Jan 13, 2010 at 7:44 AM, Paweł Hajdan, Jr. > <phajdan...@chromium.org> wrote: > > Michał, Chris: could you comment on security aspects and give some > > recommendations? > > > > Ben, could you comment on the "user interaction / usability" aspect? > > We have few choices here, I'm not sure which one is preferred. > > > > On Mon, Jan 11, 2010 at 23:23, Benjamin Smedberg <bsmedb...@gmail.com> > wrote: > >> For what it's worth, the way Firefox solves this is: > >> > >> * Check if the file is an absolute file path > >> ** on Windows, X:\... or \\... > >> ** on Posix, /... > >> * Otherwise, it's a URL relative to the current working directory > >> ** So index.html resolves using the URL machinery to > >> file:///c:/cwd/index.html > >> ** while http://www.google.com resolves to itself > >> > >> This doesn't deal with the case firefox.exe www.google.com (which would > try > >> to resolve as a file), but we decided not to care about this case. We do > >> have the explicit firefox.exe -url www.google.com which will perform > URI > >> fixup to guess the correct URL. > >> > >> --BDS > >> > >> > >> -- > >> Chromium Developers mailing list: chromium-dev@googlegroups.com > >> View archives, change email options, or unsubscribe: > >> http://groups.google.com/group/chromium-dev > >> > > > > -- > > Chromium Developers mailing list: chromium-dev@googlegroups.com > > View archives, change email options, or unsubscribe: > > http://groups.google.com/group/chromium-dev > > >
-- Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev