From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2001:558:fe21:29:69:252:207:38; helo=resqmta-ch2-06v.sys.comcast.net; envelope-from=eklhad@comcast.net; receiver= Received: from resqmta-ch2-06v.sys.comcast.net (resqmta-ch2-06v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:38]) by hurricane.the-brannons.com (Postfix) with ESMTPS id 22E3277893 for ; Mon, 5 Mar 2018 14:16:27 -0800 (PST) Received: from resomta-ch2-03v.sys.comcast.net ([69.252.207.99]) by resqmta-ch2-06v.sys.comcast.net with ESMTP id syOfejOzXjzb2syQaejhT8; Mon, 05 Mar 2018 22:17:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1520288272; bh=PmUsB/oNkSPOzSYyOyJE12VsYxdE5T/a3QkC04yTCC4=; h=Received:Received:To:From:Reply-to:Subject:Date:Message-ID: Mime-Version:Content-Type; b=DHATvqzRDxfeu9tZAOeBF7J1tqXML4KakBM2zAkWtqg+WpHFo4Jnn11ZZWzpzEc8a ZPtaCV7335bcLWJQ26uA1AHz8UJVSFj4BLvft1wu7kLehM7C6bTgY3+lB5snDCZo5+ OkSImR4V8cCHpCT8BhqiroukL79Ypa9tupYVQHwWxt3Ms2vFZpCN5UfzWgw23J+kg8 1ob20UKFD7Q4CUhfpX4PTWtALvfzyaAkf3Z/fTEZOxGqlk9ApiM11Q0XrKy/3G1Xci bGzp+ZKccVrowrma99ULU78GP8Jzni0aWZa0JoJq03sHi6KtCpxiNaHMi3RXwogK+4 X1zDFj9LUycBA== Received: from unknown ([IPv6:2601:408:c300:8f09:21e:4fff:fec2:a0f1]) by resomta-ch2-03v.sys.comcast.net with SMTP id syQZeL8Tt9R2JsyQZefjKl; Mon, 05 Mar 2018 22:17:51 +0000 To: Edbrowse-dev@lists.the-brannons.com From: Karl Dahlke Reply-to: Karl Dahlke User-Agent: edbrowse/3.7.2 Date: Mon, 05 Mar 2018 17:17:50 -0500 Message-ID: <20180205171750.eklhad@comcast.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=nextpart-eb-157171 Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfJGn2AAXMiX1c1csi6hdji81dQr6RVMfcH/6lFTfGd2AR39ZEZqr0IFNG7IXF4LqwVD9JFe5oTZbxSoGjS/C604pGhmCC6rExmu16hgq21G04O0iOUuf JBWW/4+/kyaq/EmF3yQg7SWh4INrQaX1SQfNglssRuntvSh0prT6Sj/r Subject: [Edbrowse-dev] zip and security X-BeenThere: edbrowse-dev@lists.the-brannons.com X-Mailman-Version: 2.1.25 Precedence: list List-Id: Edbrowse Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 22:16:28 -0000 This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --nextpart-eb-157171 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Here is something funny, so terribly unlikely that I'm not gonna worry = about it, but there's always a way, isn't there. Suppose Fred knows all about edbrowse, and millions of people are using = edbrowse (instead of 15), and he knows a lot of us use the plugins in the wiki to access zip = files. He writes a web page with javascript that does an xhr request to zipxd://foo.zip@:@top If anything is found, the javascript sends it back to the server for = analysis. Or maybe the script traverses the entire tree in the zip archive and = sends all the files to the server. Now I say it's unlikely because the web page would have to know the = name of your zip file, i.e. the path to your zip file, and at least one = directory. In my example it has to know there is foo.zip in your current directory = and it has a directory inside it called top. There aren't any standard zip files in standard places on unix = machines, so I guess we're all right. I just looked under /bin /lib /usr /etc and found none. Karl Dahlke --nextpart-eb-157171--