Bug 1689598 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Ngai-ching Wong

on 2021-01-29 04:44:56 PST

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

1) Fresh installion of Windows 10 Enterprise Edition Version 2004
2) Fresh install Firefox 85 x86_64 (Build ID 20210118153634)
3) Create below html file in a web server

      <html>
              <body>
                      Bug
                      <a href="C:\:$i30:$bitmap">WARNING: Don't click or else corrupt your harddisk</a>
              </body>
      </html>

4) In Firefox, browse the above html via http URI  (eg http://192.168.1.1/test.html)
5) Click the link in html
6) Reboot Windows 10



Actual results:

Reboot will trigger a NTFS check unexpected due to known and unifxed NTFS bug as at 29 Jan 2021
File system corruption or BSOD may happen too.

ref https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/



Expected results:

Access to local file resources (eg <a href="C:\:$i30:$bitmap">) is not expected from remote http or https request.

No issue from Chrome 88.0.4324.104 and Microsoft Chromium Edge 88.0.705.56

Similar issue was reported in Bug 1368682

Revision 1 by

Daniel Veditz [:dveditz]

on 2021-01-29 11:17:18 PST

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

1) Fresh installion of Windows 10 Enterprise Edition Version 2004
2) Fresh install Firefox 85 x86_64 (Build ID 20210118153634)
3) Create below html file in a web server
```html
      <html>
              <body>
                      Bug
                      <a href="C:\:$i30:$bitmap">WARNING: Don't click or else corrupt your harddisk</a>
              </body>
      </html>
```
4) In Firefox, browse the above html via http URI  (eg http://192.168.1.1/test.html)
5) Click the link in html
6) Reboot Windows 10



Actual results:

Reboot will trigger a NTFS check unexpected due to known and unifxed NTFS bug as at 29 Jan 2021
File system corruption or BSOD may happen too.

ref https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/



Expected results:

Access to local file resources (eg <a href="C:\:$i30:$bitmap">) is not expected from remote http or https request.

No issue from Chrome 88.0.4324.104 and Microsoft Chromium Edge 88.0.705.56

Similar issue was reported in Bug 1368682

Back to Bug 1689598 Comment 0