Closed Bug 1224648 Opened 10 years ago Closed 10 years ago

websites can be crafted to put different content on the clipboard than is visible to the user

Categories

(Core :: DOM: Serializers, defect)

Product:
Core
Component:
DOM: Serializers
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 504748

People

(Reporter: jacques, Unassigned)

References

Details

Attachments

(1 file)

Copy-Paste from Website to Terminal.htm
3.20 KB, text/html
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Build ID: 20150511103303 Steps to reproduce: http://thejh.net/misc/website-terminal-copy-paste has a piece on how maliciously crafted websites can place content on the clipboard that is not visible during the cut operation. This can lead to commands being executed if the content is pasted to a terminal. Actual results: When cutting the text "git clone git://git.kernel.org/pub/scm/utils/kup/kup.git" from the website linked above onto the clipboard and subsequently pasting it you get the text "git clone /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust! Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd git clone git://git.kernel.org/pub/scm/utils/kup/kup.git" in return! Expected results: A cut-and-paste operation should *only* operate on the text visible to the user, not to any elements hidden from view. cf 'principle of least surprise'
Testcase positions inline element found in the copied string offscreen.
Status: UNCONFIRMED → NEW
Component: Untriaged → Serializers
Ever confirmed: true
Product: Firefox → Core
See Also: → 567362
Version: 38 Branch → Trunk
If the description is correct: > maliciously crafted websites can place content on the clipboard that is not > visible during the cut operation. This can lead to commands being executed > if the content is pasted to a terminal. then should not this bug be Critical instead of Normal? After all, this bug creates a security vulnerability.
That's fine by me but I'm not qualified to make that call I only reported the problem when I encountered the proof-of-concept website and I'm frankly surprised that nobody else did because it received quite a bit of coverage on a forum where plenty of people from Mozilla hang out (Hacker News).
Testcase from the website
Daniel I suspect this is something we already have a bug on for. Do you know?
Flags: needinfo?(dveditz)
This is a fight we decided we can't win (bug 507748), and specifically the PoC in comment 0 was previously filed as bug 859127. Not only that we've completely thrown in the towel and decided to implement the Device-API standard that lets sites programmatically set your clipboard in bug 1012662
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: