Closed Bug 1295023 (CVE-2017-5387) Opened 3 years ago Closed 3 years ago
Ability to determine the existence of a file in the local filesystem
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Build ID: 20160802213348 Steps to reproduce: The issue exists because a <track> tag's onerror event is triggered twice if the file referenced in it's src attribute doesn't exist, while it's only triggered once if the file exists but not playable. Please check the attached file for a PoC. Change the path to the file in the src attribute in the <track> tag for the different behaviors explained. Actual results: The onerror event for the <track> tag is fired twice if the file doesn't exist and once if it does. Expected results: The onerror event should be fired the same number of times for both cases.
Rillian, can you or someone else who's worked on this code look at this?
Group: firefox-core-security → core-security
Component: Untriaged → Audio/Video
Product: Firefox → Core
Alastor, can you take a look at this please?
Assignee: nobody → alwu
This works as a local attack only--that is, when the PoC is itself loaded from a file:/// url. From a web page you always get a "doesn't exist" result because there's a security error thrown: Security Error: Content at https://bug1295023.bmoattachments.org/attachment.cgi?id=8780916 may not load or link to file:///etc/passwd.
Sure, I will check it later.
Comment on attachment 8782394 [details] Bug 1295023 - ignore to set the same value for the ready state. https://reviewboard.mozilla.org/r/72578/#review70330
Attachment #8782394 - Flags: review?(giles) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/305892e22d9c ignore to set the same value for the ready state. r=rillian
Whiteboard: local attack → [adv-main51+] local attack
You need to log in before you can comment on or make changes to this bug.