On Sunday 03 July 2011 00:39:28 JD wrote: > On 07/02/2011 10:39 AM, Marko Vojinovic wrote: > > On Saturday 02 July 2011 15:50:18 JD wrote: > >> If a javascript can browse all accessible files, what's there > >> to prevent someone from writing a javascript to spawn > >> a process to upload your files? > > > > Permissions system? While the contents of / directory can be listed by > > just about any user on the system, it's a completely different story for > > writing to it. Also, can you browse through home directories of other > > users from the router? I doubt. > > Good question. > The dirs whose owners set to 0700 perms, > I cannot browse. > As I said, the script allows access to files that > the current user, accessing the web, has access to. > So, one's own personal files are at risk, and files of > other users which have permissive perms are at > risk. > As far as writing, the script is running with the user > credentials. Why would it not be able to write to or > delete the user's own files or other users' files which > have permissive perms settings? Umm, no. The javascript itself cannot access your files at all. It can just point your local web browser to show you your local files. It's the browser that is displaying your files, not javascript. Deleting and uploading are out of the question. To prove this, hook up two machines into your router, and try to look at the filesystem of machine A by accessing the router from the browser on machine B. Does it fail? Sure it does, the browser on machine B cannot see the filesystem of machine A, regardless of any router or javascript in between. Try it and see for yourself. You are making fuss over a non-issue. > > Go create a new dummy user on your machine, create somefile.txt in his > > home directory, log in as yourself and try to view the file using the > > router. If you succeed, the permissions on your system are compromised. > > If you don't, then you are fussing over that router more than it's > > worth. In both cases I doubt that javascript has much to do with it. > > As stated above, if the perms are set to... say 0700 on the > user's home dir, then no I cannot browse it by the browser. > > And this is NOT the issue I was raising, so you diverge quiet a bit. > > It is the fact that as javascript sent by web site can indeed > open my files and can upload them to a remote site. But that's not the case. Javascript did nothing of the sort. It is a simple html instruction, like this: <a href="file://127.0.0.1/"> Click here to see your local files </a> This can be implemented on any website whatsoever, and of course there is no way any information about your local filesystem can be pulled back to the server providing the link. The link just redirects your browser from that random website to your "filesystem-website", which is actually the virtual website created by your *local* browser to display your *local* files. Javascript is not involved at all here. The fact that the router's website fails to work when you use noscript on it is a question of the design of the router, but I can bet that it does not access your files in any way. Open the browser, point it to the router website, choose "view -> page source" from the menu (I'm talking Firefox here) and post the html source of what it gives you. I could bet that you can find a href anchor there just like the one that I wrote above (or something similar/equivalent). There is nothing more to it, really. And there certainly is no reason to panic over security. If this was a real hole, it would be obvious to people years ago, and certainly fixed by now... There are quite a number of people out there that are way more paranoid than you or me. They would raise the alarm long ago if it were something real. ;-) HTH, :-) Marko -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
