Closed
Bug 1493539
Opened 6 years ago
Closed 6 years ago
Firefox Remote Denial Of Service attack using extremely long filenames
Categories
(Firefox :: File Handling, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1438214
People
(Reporter: u614211, Unassigned, NeedInfo)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Steps to reproduce: You can try it @ https://reaperbugs.com/ Source: https://gist.github.com/pwnsdx/d20a99c0500d6f05993ef730bef26746 Actual results: Repeatedly prompt the user to download file that contains enormous filename will hang the main process. Expected results: Behavior for download prompts should be more like Chrome where it seems to handle those cases with ease. Preventing websites to download more than one file unless the user say so is probably the way to go. Truncation / rejection of long filename would also be nice to have.
Updated•6 years ago
|
Group: firefox-core-security
Updated•6 years ago
|
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Comment 2•6 years ago
|
||
Maybe there's something we can do about the parent process hang due to the long filenames before we fix the dos with multiple downloads.
Group: firefox-core-security
Status: RESOLVED → REOPENED
Component: Untriaged → File Handling
Ever confirmed: true
Flags: needinfo?(paolo.mozmail)
Resolution: DUPLICATE → ---
Summary: Firefox Remote Denial Of Service attack → Firefox Remote Denial Of Service attack using extremely long filenames
Comment 3•6 years ago
|
||
Isn't this just because of the blob URL handling? If so, we can probably dupe it to bug 1438214.
Comment 4•6 years ago
|
||
(In reply to Johann Hofmann [:johannh] from comment #3) > Isn't this just because of the blob URL handling? If so, we can probably > dupe it to bug 1438214. Oh, I missed that. Yeah, thanks. That bug needs an owner...
Group: firefox-core-security
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Flags: needinfo?(paolo.mozmail)
Resolution: --- → DUPLICATE
Comment 5•6 years ago
|
||
(In reply to Sabri from comment #0) > Preventing websites to download more than one file unless the user say so is probably the way to go. The download spam prevention project is relevant, see bug 1306334.
Updated•4 years ago
|
Flags: needinfo?(bachducntn)
You need to log in
before you can comment on or make changes to this bug.
Description
•