2

Browsers do not generally allow web pages to interact with client-side file system as a security measure. I would like to know what can go wrong with the following scenario:

Clicking a special hyperlink in a browser opens a link specified folder in windows file explorer.

Steps to achieve this:

  1. A Protocol handler application is installed on browser machines.
  2. It registers itself for nfx: protocol, (similar to mail clients, which register mailto: protocol)
  3. When a User clicks a hyperlink with an href="nfx://machinename/share/folder/"
  4. The Protocol Handler application is launched with the above URL as a process argument by the browser.
  5. All / are converted to Path Separator (for e.g \), nfx: is removed from the start of the URL. And the result \\machinename\share\folder\ is checked if directory exists.
  6. If it exists, the user is asked to confirm whether they want to open this folder If the user confirms then explorer.exe is launched with \\machinename\share\folder\ as parameter.
  7. Protocol launcher application exits.

Why was this done (In case this a XY problem):

  1. I have a requirement where regularly updated installers are kept on a network path.
  2. A webpage will list all the available installers.
  3. Clicking on the link should take the user to Installer location.
  4. We are not expected to download, or directly launch the installer from the webpage. The user can decide if he wants to run the installer once the folder is opened in windows explorer.

How dangerous will opening a network folder or local folder like this be?

AEonAX
  • 163
  • 9
  • Can a `protocol-handler` tag be created and applied to this question? – AEonAX Sep 15 '18 at 13:53
  • So, you mean like `file:///C:/` which is already a feature in browsers? Chrome and Firefox open the file list in the browser window, IE opens a new window. – schroeder Sep 15 '18 at 20:34
  • @schroeder href with file protocol do not work OOTB for firefox and chrome – AEonAX Sep 17 '18 at 05:38

1 Answers1

2

The part I don't like is the network path.

It should be ok if you chceck the path does not contain characters not allowed in path, that the path is a folder and that it is on the local machine.

However, if you allow remote file system, you are suddenly allowing the webpage to request a potentialy insecure connection to an unknown sysytem, that could send back a whole range of garbage to a black box app from Microsoft of all people. There are likely vulnerabilities in explorer that could be abused here.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28
  • I do ask for user confirmation if they want to open the folder in explorer. But this is also a good point. – AEonAX Sep 17 '18 at 05:40