Closed
Bug 148418
Opened 22 years ago
Closed 21 years ago
file:///// URL behaves differently with middle mouse button
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: charper, Assigned: security-bugs)
References
()
Details
When I make a link using file:///// to a file on our network: <A HREF="file://///server/directory/file.doc">MyFile</A> it behaves differently depending upon if I middle-click the link verses if I left-click or right-click and select "Open in new tab" or "Open in new window". The middle mouse button works correctly (opens the file in a new tab). All other methods of clicking the link do nothing (no error message, no action).
Comment 1•22 years ago
|
||
what the heck is file:///// (with 5 /) ? I only knew it with 2 or 3...
Reporter | ||
Comment 2•22 years ago
|
||
See http://bugzilla.mozilla.org/show_bug.cgi?id=107540 for info about the 5 slashes.
The reporter says he is able to get the link to open in a new tab with the middle click button, and 5 slashes seems like a valid path (Comment 2). Reporter: If the link you are clicking is in a file: document also, reporter, then I have to say WFM, Win 98 daily build 2002053008. I get an error message (takes a few seconds). However, it is possible that something else is happening. If the link is in a non-file: document (http:, for example), it should be noted that file: links are not openable (click, open in new tab, open in new window) from http: documents. So reporter, if the link you are trying to open is in an http: document, then it is correct behavior (or at least expected behavior) for Mozilla to fail with no visible error (there is an error printed on the JavaScript console in this case). If you don't like the fact that there is no visible error message, see Bug 84128. The real bug, however, does not seem to be that the link can't be opened with click etc.; it is that the link _can_ be opened with the middle click shortcut. (If a file: link is not allowed to be opened from an http: document normally, then there should not be a way to do so with the middle click shortcut.) We need more info from reporter to rule out (or rule in?) this case. Reporter, could you please tell us the following: 1) what version of Mozilla you are using 2) the URL of the document from which you are trying to load this link (or at least the protocol of the document, for example http: or file:)
Reporter | ||
Comment 4•22 years ago
|
||
1) what version of Mozilla you are using Mozilla 1.0 Release Candidate 3 Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523 2) the URL of the document from which you are trying to load this link (or at least the protocol of the document, for example http: or file:) The URL of the document that contains the link is an HTTP link on our internal wiki: "http://intellijet2.netjets.com/wiki-moinmoin/moin.cgi/ChrisHarper" I pulled up the JavaScript console and can see errors like the following on left-click and right-click->Open in new... "The link to file://///cmhdev01/vol1/shared/Cambridge/cc%20error.doc was blocked by the security manager. Remote content may not link to local content." However, there is no error message with the middle-click - and I get an immediate file download dialog.
Comment 5•22 years ago
|
||
Right. This is all working as-designed. Remote content linking to local content opens up a number of security holes that are simply not tenable.
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 6•22 years ago
|
||
I just want to make sure everyone is on the same page. When you said "This is all working as-designed." Did you mean that you were already aware of the problem and that it had already been fixed, or that the bug as described in the text (middle mouse button rehaves differently than right-click->open in new tab) is by-design?
Comment 7•22 years ago
|
||
Ugh. Sorry... I misread things...
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Comment 8•22 years ago
|
||
To security. We should be consistent in this behavior, I think...
Assignee: dougt → mstoltz
Status: UNCONFIRMED → NEW
Component: Networking: File → Security: General
Ever confirmed: true
OS: Windows 2000 → All
QA Contact: benc → bsharma
Hardware: PC → All
I think what I said above still applies: "The real bug ... is that the link _can_ be opened with the middle click shortcut." That is, "consistent behavior" would be to disallow the middle click (and ctrl click), right? If this is not happening already, the middle-click shortcut is skipping CheckLoadURI, I guess. (?) mstoltz will probably know.
Comment 10•22 years ago
|
||
*** Bug 151491 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 11•21 years ago
|
||
This has been fixed; can't reproduce it now.
Status: NEW → RESOLVED
Closed: 22 years ago → 21 years ago
Resolution: --- → FIXED
Comment 12•21 years ago
|
||
reopening as no specific patch fixed this bug.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 13•21 years ago
|
||
wfm
Status: REOPENED → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•