Javascript File i/o

Thursday May 25th, 2000

Pete Collins from Alphanumerica and Mozilla developers have created a Javascript interface for doing file i/o in Mozilla, which will allow new Mozilla components like Alphanumerica's Crash Recovery system to function properly.

Patterned after the PHP filesystem functions, simple functions such as file read/write and directory create are supported. The code has not yet made it into the nightly build, but they expect it will get in soon.

Note from AN: There seems to be a misconception about Javascript File I/O being a security risk. It is important to clarify that this project is not opening any security holes in Mozilla. There is a difference between Javascript on the Internet and Javascript inside the application. Javascript is used inside Mozilla to create the functionality for the application. This is in contrast to any Javascript downloaded from the Internet that is used for functionality only inside a Web page. This project does not grant any access to Javascript found on the Internet. For more information about how Javascript is used inside Mozilla read more about XPCOM and XPConnect.

#3 Re: Re: hrmmmm......

by SomeSmartAss

Thursday May 25th, 2000 11:54 AM

You are replying to this message


Now, is there still a per-script, privledge based, security check (the way Netscape currently handles potentially dangerous javascript calls), so that malevolent skin designers don't start doing evil nasty stuff to once their skin is installed.

Again, I'm just worried about the posibility of something being given free reign to my hard drive, simply because its in my "skins directory" or some such.

If the answer is that the scripts only have access to the chrome area, and no further; what will stop a skin from a) filling my hard-drive with millions of tiny, one byte, files (ala an old "Tribble" virus I once wrot^h^h^h^h heard about) b) somehow planting, and running an executable that doesn't have said restrictions (i.e. a "byte-code string" hidden within the skin that gets written to file, then renamed "iAmEvil.exe" and executed. This, if my memory of the aforementioned PHP I/O calls is correct, combined with some intense bitwise operations, is technically possible, albeit quite tricky)