Closed Bug 262478 Opened 21 years ago Closed 21 years ago

Firefox allows websites to delete arbitrary data in the user's temp dir

Categories

(Toolkit :: Downloads API, defect)

Product:
Toolkit
Component:
Downloads API
Version:
1.7 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bzbarsky, Assigned: bugs)

References

Details

(Keywords: fixed-aviary1.0)

See bug 240068 comment 27 paragraph 2. See also bug 259708 for related discussion. In short, a website can use a Content-Disposition header (or even a filename in a URI), to cause Firefox to delete a file with any given name from the user's temp directory. This means that malicious websites can use Firefox to interfere with normal operation of the user's computer (eg by wiping out X lock files, etc, stored in /tmp). Per bug 240068 comment 27, if Ben can tell me and biesi exactly what he wants out of the back end, we would be perfectly happy to make changes so that the file-removing code in question can be ditched.
Blocks: 240068, 259708
Should this be marked security sensitive? Bug 259708 dealt with something similar and was marked as security sensitive.
If I thought this should be security-sensitive, I would have marked it as such. My general feeling is that that flag is way overused.
Is this bug referring to the Remove(PR_TRUE) in nsDownloadManager::AddDownload?
Yes, but the PR_TRUE is somewhat peripheral. We just shouldn't be removing files we might not "own", period.
There's a patch for this on ftp.mozilla.org, and it has been announced on Slashdot. So has this not been checked into branch and trunk yet?
> There's a patch for this on ftp.mozilla.org There is? > and it has been announced on Slashdot No, it hasn't. You're confusing this bug with bug 259708, methinks.
that's entirely possible, but I can't see that one.
I remember there being a reproducible bug with helper app launching that prompted me to add the section of code in nsDownloadManager, but now with it removed I cannot reproduce it. I've checked in the removal of the code and we'll see if anything goes wrong this week.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Keywords: fixed-aviary1.0
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.