(Translation done by Google Tradutor)
Well I am writing this article to detail a new requirement of the tool Internet Explorer 8, I even tried on the subject but not Choose from many responses, then I discovered a problem.
IE 8 now has a safety feature, also present in the Opera Browser: Replacing the file path for a false path.
Imagine that before when you select a file path could be captured and sent to a server, and via code would be able to access any existing files on your machine, even covertly, thus access to the password file written to auto authentication sites and email accounts, email, etc.. You can also access cockies, among other information. Sure, if you know the path where these files are saved. But when you have the folder structure of the operating system (C: \ or D: \), these files can be accessed, because the shooting locations follow certain standard operating system itself (and the OS can be identified via javascript).
But how can I develop a component that works without the User has to follow procedures to add the site as safe, etc? It aims to do this?
Well, the problem of component Multi Web Archive, is that they create inputFile objects at runtime, but only when the files should be actually sent. And usually the selection of files is done by only one component input, and after that the PATH is recorded in a list, so that when the file is sent a new input is created and accessed by the server.
The problem is when the component attempts to capture the path of inputFile, now when the javascript tries to access the attribute "value" of inputFile it returns the false path, so that the security and integrity of files and passwords of users is guaranteed.
The solution is whenever a file is to be selected, a new object of type inputFile should be created, because with this we will not require any interaction with the file path, with a maximum file name in a list.
I hope the information will help.
IE 8 now has a safety feature, also present in the Opera Browser: Replacing the file path for a false path.
Imagine that before when you select a file path could be captured and sent to a server, and via code would be able to access any existing files on your machine, even covertly, thus access to the password file written to auto authentication sites and email accounts, email, etc.. You can also access cockies, among other information. Sure, if you know the path where these files are saved. But when you have the folder structure of the operating system (C: \ or D: \), these files can be accessed, because the shooting locations follow certain standard operating system itself (and the OS can be identified via javascript).
But how can I develop a component that works without the User has to follow procedures to add the site as safe, etc? It aims to do this?
Well, the problem of component Multi Web Archive, is that they create inputFile objects at runtime, but only when the files should be actually sent. And usually the selection of files is done by only one component input, and after that the PATH is recorded in a list, so that when the file is sent a new input is created and accessed by the server.
The problem is when the component attempts to capture the path of inputFile, now when the javascript tries to access the attribute "value" of inputFile it returns the false path, so that the security and integrity of files and passwords of users is guaranteed.
The solution is whenever a file is to be selected, a new object of type inputFile should be created, because with this we will not require any interaction with the file path, with a maximum file name in a list.
I hope the information will help.
Nenhum comentário:
Postar um comentário