[security issue] Nice link

try the following link in standard browser:

view-source:///etc/passwd

ok, shadow does not work :wink:

3 Likes

Uhhm…

I’m not sure that it’s correct calling this a security problem - maybe even misleading.
passwd intentionally is a publicly readable unix file. See this short article about the purpose of passwd. Maybe someone who knows this stuff better (me I only can ‘guess educatedly’) can comment.

In any case: access to the local file system from Browser is a (necessary) feature, not a security issue (but this most probably is a no-brainer).

3 Likes

Exactly my thoughts.

And filing as a bug like here I do not get at all.
Just try this on a Jolla1 with 1.0.0.5.
Or on a current debian/ubuntu/… system.

Maybe related to the new firejail hardening? But then it might be more a feature request to hide /etc/password? I do not know if the browser or applications inside would need to read it.

1 Like

@cy8aer: Can you elaborate on this?