input type=file may be dangerous #10
Conversation
… Wang for node-webkit. Also disabled emulation of user gestures
|
Thanks for contributing patches! The operation should be enabled in Node frame to support a difference security model beyond browser. And it should be disabled for Normal frames, see |
|
Unfortunately, this is not reflected in source code. You can access "file.path" property on ordinary created input file element inside a normal frame. You can also set value of that element that violates W3C standard. Value of that element returns complete path, not fakepath as it is usual (despite on frame type). Also gestures checking is disabled globally, nothing checks whether frame is node-js or not. I found these issues thank to following article (translated from czech language) |
|
Then the correct fix should be disabling it and keep the standard in normal frame, but keep it enabled in Node frame. Not by simply removing it. |
|
btw, you can also access "file.path" property and set it in Chrome browser. <html>
<head><title>file</title>
<script>
function test() {
var f = document.getElementById('f0');
console.log("path: ", f.path);
f.path = '/usr/bin/ls';
console.log("path: ", f.path);
}
</script>
</head>
<body>
<input type="file" id="f0"></input>
<button onclick="test();">test</button>
</body></html> |
|
Sorry, I will no longer to contribute on this project due incompetence of its maintainer. |
|
We treat security issues seriously. The last valid security report got fixed and delivered in ~2 hours. |
And change to default of processingUserGesture as fail safe Fix #10 test case: http://jsfiddle.net/0104bhnc/1/
|
The fix for the case http://jsfiddle.net/0104bhnc/1/ can be downloaded here: http://dl.node-webkit.org/live-build/12-28-2014/0796d42-d8ecacd-a1cc175-f2f89e2-d9a9d39-cdd879e/ |
And change to default of processingUserGesture as fail safe Fix #10 test case: http://jsfiddle.net/0104bhnc/1/
|
Thank you. Now it looks more accurate. I appreciate UserGestureIndicator.cpp has been rollbacked to the original version because it had potential to affect other parts of the WebKit - and I have no knowledge about all places where this flag is tested. Now that only file-picker has ability to be invoked using emulated mouse-click but just inside frame marked as node-js-frame. That is correct behaviour. |
…s#10 id:180001 of https://codereview.chromium.org/840743005/) Reason for revert: http://crbug.com/450920 Since build #9274, blink_platform_unittests:detectClear started failing consistently on Win7 (dbg) bots http://build.chromium.org/p/chromium.webkit/builders/WebKit%20Win7%20%28dbg%29/builds/9274/steps/blink_platform_unittests/logs/detectClear BUG=450920 Original issue's description: > Optimizing overdraw in display list 2d canvas > > This change aims to reset the recording for the current frame a draw > operation is encounters the overwrites the entire frame. This change > also takes care of removing the RegionTracker class, which was now > only being used by display list canvas and was overkill for the > purposes of the display list canvas implementation. The region > tracker was replaced by much simpler clear notification in the > GraphicsContext class. > > BUG=446256 > TEST=GraphicsContext.* platform unit tests > > Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=188782 [email protected],[email protected],[email protected] NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=446256 Review URL: https://codereview.chromium.org/870473002 git-svn-id: svn://svn.chromium.org/blink/trunk@188793 bbb929c8-8fbe-4397-9dbb-9b2b20218538
…nt() (patchset nwjs#10 id:180001 of https://codereview.chromium.org/817633002/) Reason for revert: It may result in crash issue. https://code.google.com/p/chromium/issues/detail?id=450902 Original issue's description: > Modify MediaSource::close() to MediaSource::detachFromElement() > > This Cl will rename close() to detachFromElement() to keep consistent with spec. > https://w3c.github.io/media-source/#mediasource-detach > > Test=LayoutTests:mediasource-closed.html > > Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=188672 [email protected] NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true Review URL: https://codereview.chromium.org/863203002 git-svn-id: svn://svn.chromium.org/blink/trunk@188798 bbb929c8-8fbe-4397-9dbb-9b2b20218538
And change to default of processingUserGesture as fail safe Fix #10 test case: http://jsfiddle.net/0104bhnc/1/
…80001 of https://codereview.chromium.org/1111693003/) Reason for revert: This is also causing flaky failures on the regular Linux ASAN bot: https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20ASAN/builds/18485 is the first of multiple failures. I am able to reproduce the failure 100% of the time locally on my linux desktop with this patch; reverting the patch makes the test pass. Sorry! Original issue's description: > Remove the concept of a cleanup task > > The only cleanup task in Blink which is not internal to a worker thread is > the task to close a WebSQL database. Because 1) only worker threads > support the concept of a cleanup task, and 2) WebSQL isn't supported on > worker threads anymore after https://codereview.chromium.org/561093003/, > we can safely remove the logic to handle cleanup tasks on worker > threads. > > BUG=463143 > [email protected] > > Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=195191 [email protected],[email protected],[email protected],[email protected],[email protected],[email protected] NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=463143 Review URL: https://codereview.chromium.org/1134933003 git-svn-id: svn://svn.chromium.org/blink/trunk@195278 bbb929c8-8fbe-4397-9dbb-9b2b20218538
Current implementation of the extension of /input type="file"/ (described here: https://github.com/rogerwang/node-webkit/wiki/File-dialogs) can be dangerous and it can raise several security issues. I suggest to complete rollback this extension and implement it by different way.
My opinion is that file-dialogs extension is one of the worst feature. You should complette avoid it.
I also disabled emulation of user guestures. To give scripts ability to emulate the user is also huge security issue.