Open Bug 307828 Opened 19 years ago Updated 2 years ago

Information leak of file names being viewed from web pages

Categories

(Firefox :: File Handling, defect)

Product:
Firefox
Component:
File Handling
Platform:
x86
Linux
Type:
defect

Tracking

()

People

(Reporter: nigelenki, Unassigned)

Details

(Keywords: privacy, sec-low, Whiteboard: [sg:low]) 

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050825 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050825 Firefox/1.0.4

Information leaks appear in Firefox and Thunderbird that allow limited tracking
of user activity on multi-user systems.  In particular, it is possible to see
the file names and sizes of files viewed from web pages or opened from e-mail
attachments.  This information is typically hidden from other users, because
browser history and e-mail content is not accessible from other accounts.

Although this bug is illustrated on Linux, it affects all Unicies most likely,
and could have fixable scope on Windows.

Reproducible: Always

Steps to Reproduce:
1.  Open Firefox
2.  Go to http://www.ocremix.org/
3.  Open an mp3 file in Totem et al from the site; do NOT save to disk first
4.  Look at /tmp and find the file name
5.  Google for the file name (without .mp3 perhaps, perhaps parts of it)
6.  Find your way BACK to the original file either directly or through forums
7.  Verify size and filename
8.  Check it out, you just forensically reconstructed your previous activities
in minutes!


If it's thunderbird,
1.  Open an attachment from a message
2.  Look in /tmp and find the file name
3.  Ponder what kinds of damaging file names could be there
("drakon_project_TS_finance.xls" could represent a leak of a top secret project
name?)
Actual Results:  
Light information leak.

Expected Results:  
Can't find this stuff unless you own the files.

Fixing this is easy.


char tmpdir[20];
char pathname[255];
tmpdir   = mkdtemp("/tmp/firefox_XXXXXX"); /*make temporary directory,
                                            mode 0700*/
snprintf(pathname, "%s/%s", tmpdir, filename); /*Make a path at
                                               /tmp/firefox_??????/$(filename)*/

Using mkdtemp() like this will allow Firefox to create a unique temporary
directory with restrictive permissions in /tmp at startup, and store files in
there.  This in turn will prevent other users from simply looking into the
temporary directory (because it's drwx------) and seeing the filenames and sizes.
Keywords: privacy
Making public per Bluefox in #firefox.
Group: security
Whiteboard: [sg:investigate]
Confirming, this is a privacy leak for users on a shared-access machine.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:investigate] → [sg:local]
Whiteboard: [sg:local] → [sg:low]
i think fixing this is probably best done closer to xpcom...
Component: Security → File Handling
Product: Firefox → Core
QA Contact: firefox → file-handling
Version: unspecified → Trunk
Product: Core → Firefox
Version: Trunk → unspecified
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.