Re: [dev] security issue running surf from home folder

From: <tautolog_AT_gmail.com>
Date: Thu, 08 Jan 2015 20:56:54 -0800

The saving to desktop vs. working directory has arguments on both sides, but that is easy enough to change in config, and leave the default to maintainer preference. A prompt would make either case known before the download, so leaving a prompt in by default helps make the distinction less of an issue. The prompt can be removed easily, and the act of doing that will reveal the exact behavior, so it is in the hands of the user at that point. 

Well, maybe a comment above the DOWNLOAD macro would be good, but as long as the default config is fine, that is the important thing.

By window.location.assign(), I am referring to webkit navigating to a .bashrc file from javascript, and surf's handling of just checking if surf can display the MIME, and immediately calling curl with no prompt (per the default config). No redirect is handled by curl for the assign() case, because surf calls curl as a response to the assign(), with the new URL. Try out the example I posted, and you will see that behavior.  ‎A .bashrc URL from the JS redirect becomes .bashrc in the home folder. 

Ben
  Original Message  
From: Jakukyo Friel
Sent: Thursday, January 8, 2015 5:57 PM
To: dev mail list
Reply To: dev mail list
Subject: Re: [dev] security issue running surf from home folder

On Thu, Jan 8, 2015 at 7:07 AM, <tautolog_AT_gmail.com> wrote:


> Say you call up surf just to download a file, from a working directory.
> You would expect the download to go into the working directly, as if you called curl or wget.

1. I tend to think surf will download to a default place,
for example `~/Desktop` if I've not specify one.

2. If I do expect the same result as if I called curl or wget:

2.0 Both curl and wget do not understand window.location.assign.
2.1 curl -O does not follow 301 redirect.
2.2 wget follows 301 but use the original name as the saved file name,
e.g., 'a.html' redirects to '.bashrc', wget save it as 'a.html'.
2.3 Since `curl -O` does not follow 301 redirect, it will not override
already exist file
unless you feed it a url and does not look at the last part of the url.
And wget has another level of safe net: if it detects files with
same name already exist,
it will change the saved name, e.g. `.bashrc.1`, etc.
Received on Fri Jan 09 2015 - 05:56:54 CET