testing local links... 


@hypolite why can that be linked? if its only a local link what could it hurt?

@liaizon Because it’s a relative local link, meaning that it would try the local filesystem of anyone displaying it in their browser, although it only makes sense in your own browser.

If it was active, it opens up a bunch of potential attack vectors where you can make people edit their own files based on a hyperlink.

@hypolite could you explain how that works because I’m a little uncertain what the attack vector would actually be

@hypolite Browsers are not allowed to edit actual filesystem links, and relative paths will only open those files locally

@hypolite also, since the browser is not running as Root you would be prompted to enter your password if it was a file that could hurt your operating system I would think

@liaizon Attack goes like this:

Attacker wants access to one of your files.
Sends you an hypertext link with the expected relative path of the file on your filesystem.
You click on the link, it opens the file, not necessarily for editing.
You provide the content of the file, possibly unaware of the consequences.

And yes, on well-configured systems it would prevent you from editing system-sensitive files. But it still goes back to my original point: since the link only makes sense on your browser on your specific filesystem, what's the point of making it active for anyone else given the risks?

@hypolite I don’t think not autolinking mitigates the issue at all, because I’m pretty sure you can just run it through a url shorter & it would look even more normal.

ill give you an example of how it would be useful, lets say a bunch of folks are talking about a config file on the version of linux they are running. and you paste the link to that local file so everyone can quickly access it. You click the link and firefox pops up a dialog saying “what would you like to use to open said file?”

@liaizon So you want people to access your own file on your own system with a URL. In this case your link is incomplete, it needs a hostname/IP and a user than can log in the system without credentials.

@hypolite not at all. Maybe I wasn’t clear. If everyone is on the same type of system and they are editing the same file on their own systems, that is what I would find useful.

@liaizon Ha, I see. Your original post example is pretty bad in that regard, it should have been file://~/.config but this is another can of worms I suppose.

@hypolite it should have been file:///home/wakest/.config/i3/config which was the file I was actually editing when I thought about this in the first place...

Sign in to participate in the conversation
never awake

the personal instance of Liaizon Wakest