Closed Bug 267828 Opened 20 years ago Closed 19 years ago

nsLocalFileWin::IsExecutable needs to trim trailing dots

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dbaron, Assigned: dougt)

References

Details

(Keywords: fixed-aviary1.0.1, fixed1.7.6, Whiteboard: ETA 2/11)

Attachments

(2 files, 3 obsolete files)

Patch v.3
1000 bytes, patch
dbaron
: review+
dveditz
: approval-aviary1.0.1+
dveditz
: approval1.7.6+
dveditz
: approval1.8b+
Details | Diff | Splinter Review
updated testcase
1.37 KB, text/html
Details 
This comes from investigation of bug 267122.

It seems that when saving a file in Windows, trailing dots are trimmed from the
filename.  Therefore a file saved as "foo.exe." will be saved as "foo.exe", and
an attempt to read a file "foo.bar..." will read the file "foo.bar".

This means that nsLocalFile::IsExecutable in nsLocalFileWin needs to be fixed to
trim trailing dots before comparison.

(Perhaps normalization needs to happen at an earlier stage?  Are there any other
functions in nsLocalFile that are security-sensitive?)

Do we need to trim any other characters as well?
sounds like this is fixed for seamonkey and just needed for firefox.
Flags: blocking-aviary1.1?
Assignee: darin → roc
Flags: blocking1.7.6+
Flags: blocking-aviary1.0.1+
<roc> what I want to know is:
<roc> -- Does Windows strip trailing dots when you do a ShellExecute on a file?
<roc> -- Does Windows strip trailing dots when you create a file?
<roc> (i.e. via CreateFile API)

I put together a test app to find out:

  ShellExecute(GetDesktopWindow(), "open", "test.txt...", NULL,
               ".", SW_RESTORE);
This opened "test.txt".  I could not find a way to create a file with trailing
dots (I tried GUI apps, commandline, and cygwin).

  CreateFile("test2.txt...", FILE_ALL_ACCESS, FILE_SHARE_READ, NULL,
             CREATE_ALWAYS, 0, NULL);
This created a file called "test2.txt".
thanks Chris. Do you want to try making a fix for this bug?
Whiteboard: need ETA
Whiteboard: need ETA → ETA 2/11
Attached patch Patch v.1 (obsolete) — Splinter Review 
This patch does two things.  First is normalizing the path in IsExecutable(). 
Secondly, and probably more importantly, we call IsExecutable() in Launch(). 
This  will prevent us from executing processes that we have filtered out in
IsExecute.
Attachment #173992 - Flags: review?(dbaron)
Attached file test cases (obsolete) — 
dbaron, I am not sure if you had a particular test case that you wanted me to
try out.  attached are a few that I was playing with to ensure nothing got
broken.
Comment on attachment 173992 [details] [diff] [review]
Patch v.1

It doesn't look like the normalize function performs the normalization needed
to fix this bug.

(Do we need to do this for all components of the path, or just file names?)
Attachment #173992 - Flags: review?(dbaron) → review-
Attached patch Patch v.2 (obsolete) — Splinter Review 
this corrects normalization as you suggested.
Attachment #173992 - Attachment is obsolete: true
Attachment #173996 - Flags: review?(dbaron)
Is Launch supposed to work on files that aren't executable (i.e., launch the
program that handles that type)?
Attached patch Patch v.3Splinter Review 
fix the bug, and nothing but the bug.
Attachment #173996 - Attachment is obsolete: true
Launch() needs to work on any file type the OS knows how to launch ("equivalent
of doucle-clickin on the icon", like the documentation says).
Comment on attachment 173996 [details] [diff] [review]
Patch v.2

r- per comment 11
Attachment #173996 - Flags: review?(dbaron) → review-
Comment on attachment 173998 [details] [diff] [review]
Patch v.3

So I did some quick tests and found that Windows seems to strip all trailing
dots and spaces off the last component of the path, but only a single trailing
dot off of preceding components.  This patch thus doesn't seem to do quite
enough normalization.  If you don't want to fix that here, could you please
file a followup bug on fixing that issue?  There may be other dangers in doing
too little normalization (there's certainly danger in doing too much).

(Also, is there a system function we could call to normalize the path?	Does
normalization differ across versions of Windows?)
Attachment #173998 - Flags: review+
i do not see any danger in leaving a trailing dot in a non terminal component of
a file path.  I will check this in as is, and follow up with a new bug to review
and possibly clean up the windows normalization code.  I do remember a Win32
function called *FixUp* that normalized.  It might have been defined by windows
or maybe defined in another source base.
Comment on attachment 173998 [details] [diff] [review]
Patch v.3

a=dveditz for 1.7 and aviary1.0.1 branches
Attachment #173998 - Flags: approval1.7.6+
Attachment #173998 - Flags: approval-aviary1.0.1+
Comment on attachment 173998 [details] [diff] [review]
Patch v.3

a=dveditz for 1.8b too
Attachment #173998 - Flags: approval1.8b+
I'm actually wondering now whether IsExecutable should really be changing the
object by calling Normalize.  We should probably be consistent across platforms
about this sort of thing.

Also, should we pull bug 187957 onto the branches?  Does it have security
implications?
dbaron and I agreed that IsExecutable should not mutate the object.  The patch
that landed was slightly modifed -- we are not calling Normalize in
IsExecutable, but simply remove the trailing dots and spaces from the path
before we compare.

This patch landed on the trunk, 171, and avairy branches.

I created bug 281951 to track normalization cleanup, if any.

I am not sure if we need to back port normalize.  As I remember, it was added to
fixup problem when creating nsLocalFile's using bad paths from javascript.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Flags: blocking1.8b?
Flags: blocking-aviary1.1?
Doug:  I am failing the testcases you posted.  Not sure if I setup the
environment wrong or if this bug is not fixed.  I put notepad.exe in the right
location and failed the last 5 tests:

    success &= TestExecute("C:\\windows\\notepad.exe", true);
    success &= TestExecute("C:\\windows\\notepad.exe .", false);
    success &= TestExecute("C:\\windows\\notepad.exe . ", false);
    success &= TestExecute("C:\\windows\\notepad.exe.", false);
    success &= TestExecute("C:\\windows\\notepad.exe..", false);
    success &= TestExecute("C:\\windows\\notepad.exe...", false);

I could not create any files with trailing dots or spaces, so not sure if I need
those files to exist.  I'm guessing not, since the js code seems to handle all
that stuff.  What am I doing wrong?  And if nothing, should we reopen this bug?

I already reopened bug 275441 since it didn't look like the fix here worked for
those cases.  I could be wrong, so please let me know what I can do to retest. 
Thanks.
>    success &= TestExecute("C:\\windows\\notepad.exe .", false);

isExecutable should be returning "true" for this case... so it looks like the
test is wrong?


reopening based on Jay's comment.
Status: RESOLVED → REOPENED
Keywords: fixed-aviary1.0.1, fixed1.7.6
Resolution: FIXED → ---
Er.. as far as I can tell, Jay's comment is based on incorrectly testing the fix. 
bz, the test was written when I thought that we shouldn't say a file is
executable if it ended in trailing spaces or dots. 
sorry jay -- I should have be more clear about the usage of this testcase. 
Doug:  So should all of those cases be using "true" as the param for
shouldExecute?  We are trying to trim everything so that windows sees the file
eventually as just "notepad.exe", right?  If that is the case, I already tested
with everything set to "true" and all the tests pass.  If I'm still way off, let
me know how to properly test this.  Thanks.  

I'm guessin you guys might have already tested this again, but I still want to
figure out how this works for my own sanity.  :-)  Feel free to mark this fixed
again if you have verified it yourselves.
Attached file updated testcase 
Updated testcase to pass correct param, and to eliminate the annoying multiple
security requests that encourage granting permanent god privileges to any
bugzilla attachment that comes along (which would be a really, really, bad
thing to do).
Attachment #173993 - Attachment is obsolete: true
(In reply to comment #26)
> Updated testcase to pass correct param, and to eliminate the annoying multiple
> security requests 

of course with default settings, no security request at all appears, and the
testcase just fails to work
The new testcase worked fine for me and passed all the tests.
Blocks: 275441
This one does appear fixed, it just didn't fix bug 275441 as expected.
Keywords: fixed-aviary1.0.1, fixed1.7.6
Group: security
This bug is fixed, comment 21 was a mistake.
Status: REOPENED → RESOLVED
Closed: 20 years ago19 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: