How does Javascript perform operations on local files?

Surging clouds

I was about to leave work, but I had to write my third blog today when I saw this shocking news.

The new API seeks to allow JavaScript to operate on local files
Original news:

Http://arstechnica.com/open-source/news/2009/11/w3c-publishes-draft-of-new-file-api-spec.ars

News from cnbeta:
The FileReader object does not require special permissions, but for obvious security reasons, direct access to the file path is not allowed. You must combine the regular HTML file object and Click Browse, select a local file, and use the DOM to reference the file and perform operations. This mechanism makes the API relatively safer,Because the user's manual participation is required for obtaining any local file.

The following example uses this API to open a local file and display the file content in a div container. You can even add the contentEditable attribute to the div so that you can directly edit the file content,However, this API does not provide a method to write the file content back to a local file.Therefore, the edited content cannot be saved.

      <style>
      #editor {
        border: 1px solid black;
        height: 250px;
        margin: 15px;
        padding: 10px;
        overflow: scroll;
      }
    </style>
    <script type="text/javascript">
        function load() {
          var finput = document.getElementById("data");
          var editor = document.getElementById("editor");

          var f = finput.files[0];

          if (f) {
            var r = new FileReader();
            r.onload = function(e) { editor.innerHTML = e.target.result }
            r.readAsText(f);
          } else { editor.innerHTML = "Failed to load file" }
        }

        function format(c) { document.execCommand(c, false, false); }
    </script>
    <body>

    
    <p>Select a file:
    <input type="file" id="data" />
    <a href="#" onclick="load()">Load</a>
    </p>

    <p>
    <a href="#" onclick="format(bold)">Bold</a>
    <a href="#" onclick="format(italic)">Italic</a>
    <a href="#" onclick="format(underline)">Underline</a>
    </p>

    <div id="editor" contentEditable="true"></div>
  </body>






Note that the bold section above has two features:

1. Users participate in each part.

2. read only, not write



This design is out of security considerations, but it is far from enough!



I believe that for the sake of security, some operating system file contents will be prohibited during file reading, or only the file contents under some directories will be allowed to be read, however, hackers can always find various ways to limit the risks.



We have previously discovered the vulnerability of using html and javascript to traverse directories and files (which have not yet been published ), it has also been a vulnerability that allows hackers to upload files to a website by using javascript only (patched ). However, the new operation file API will undoubtedly provide a new attack surface.



An important idea of browser security model-isolation, whether it is sandbox or any other technology, will be challenged.



When I close my eyes, I think of various shellcodes that use javascript APIs to operate on local files. When I think of various XSS trick, I think of clickjacking, which may trick users into mistakenly clicking and selecting files, and then steal the file ........



Of course, new features can bring more advantages to applications. We should encourage innovation, but at the same time, we must do a good job of Security, otherwise it will become a tragedy. Today, I also saw an article about IE6, the biggest and most serious security problem in history. Is IE6 good? At that time, it was certainly good, but due to lack of security awareness at that time, it was still very costly.



I once again stressed that I am not opposed to this API, or that this feature must be used better on the basis of security.

(Recently, some people have not read my article carefully, but have to emphasize it several times because I have made some inappropriate comments out of context .)