问题
I am working on a little photo app where the user selects a local file and it is pushed into a canvas with window.URL.createObjectURL(file) - really basic stuff. During testing I briefly dumped the contents of the File array to the console - just to make sure I was getting what I want.
I am using Firefox 31.0 (not Iceweasel) and Chrome 34.0.1847.116 (not Chromium) on Debian 7
I am calling the array like this:
var file = evnt.target.files[0];
if (file) {
console.log('file');
// other stuff
}
The console.log looks like this in the Google Chrome Browser:
File {
name: "image.png"
size: 55464
type: "image/png"
webkitRelativePath: ""
}
And like this in Mozilla Firefox Browser:
File {
size: 55464,
type: "image/png",
name: "image.png",
path: "",
lastModifiedDate: Date 2014-09-09T13:30:30.000Z,
mozFullPath: "/home/server/Desktop/image.png"
}
I can request:
console.log(evnt.target.files[0]['type')
and correctly receive "image/png" as response, however when I request:
console.log(evnt.target.files[0]['mozFullPath']);
I just get a response of: ""
Why does this information leak through the evnt.target.files[0] array, but is invisible when I call it directly?
Is this information about the structure of my filesystem only being shown to my privileged console, or can it be leaked via man-in-the-middle attacks on my browser?
EDIT
In older Firefox browsers this would have worked to elevate permissions:
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
But it does not anymore. At any rate, it is an issue when using Firefox on public Linux terminals / other people's computers because IT DOES leak file system information like directory structure and system username. Together with other exploits, this seems to me to be a dangerous threat... Or am I just overreacting?
来源:https://stackoverflow.com/questions/25765655/is-mozfullpath-in-firefox-during-file-upload-a-security-risk