Closed
Bug 10194
Opened 25 years ago
Closed 25 years ago
Possible security vulnerability in "chrome:" protocol - accessing local files using "chrome://global/skin/../"
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M13
People
(Reporter: joro, Assigned: norrisboyd)
References
()
Details
The "chrome:" protocol allows accessing local files outside the mozilla directory. The problems are URLs like "chrome://global/skin/../", where ".." references the parent directory (I guess this is not desired behaviour). Communicator 4.x had similar problems with the "wysiwyg:" protocol. Sample link is: <A HREF="chrome://global/skin/../../../../autoexec.bat"> autoexec.bat - chrome://global/skin/../../../../autoexec.bat </A> Demonstration is available at: http://www.nat.bg/~joro/mozilla/chrome1.html
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•25 years ago
|
||
We need to prohibit creation of chrome: urls from web JavaScript. This example now gets an error from the Chrome registry, but we need to have an explicit security check.
Assignee | ||
Updated•25 years ago
|
Target Milestone: M11
Assignee | ||
Comment 2•25 years ago
|
||
Move security bugs from M11 to M13; needed for beta but not for dogfood.
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 3•25 years ago
|
||
Fixed: Checking in nsChromeRegistry.cpp; /m/pub/mozilla/rdf/chrome/src/nsChromeRegistry.cpp,v <-- nsChromeRegistry.cpp new revision: 1.75; previous revision: 1.74 done
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in
before you can comment on or make changes to this bug.
Description
•