Closed Bug 10194 Opened 25 years ago Closed 25 years ago

Possible security vulnerability in "chrome:" protocol - accessing local files using "chrome://global/skin/../"

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

(
URL
)

Details

The "chrome:" protocol allows accessing local files outside the mozilla
directory.
The problems are URLs like "chrome://global/skin/../", where ".." references the
parent directory (I guess this is not desired behaviour).
Communicator 4.x had similar problems with the "wysiwyg:" protocol.
Sample link is:

<A HREF="chrome://global/skin/../../../../autoexec.bat">
autoexec.bat - chrome://global/skin/../../../../autoexec.bat
</A>

Demonstration is available at:
http://www.nat.bg/~joro/mozilla/chrome1.html
Status: NEW → ASSIGNED
We need to prohibit creation of chrome: urls from web JavaScript.

This example now gets an error from the Chrome registry, but we need to have an
explicit security check.
Target Milestone: M11
Blocks: 12633
Depends on: 11462
Move security bugs from M11 to M13; needed for beta but not for dogfood.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Fixed:

Checking in nsChromeRegistry.cpp;
/m/pub/mozilla/rdf/chrome/src/nsChromeRegistry.cpp,v  <--  nsChromeRegistry.cpp
new revision: 1.75; previous revision: 1.74
done
Verified fixed.
Status: RESOLVED → VERIFIED
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.