Open Bug 1422482 Opened 8 years ago Updated 10 months ago

OS username disclosure using downloads manager

Categories

(Firefox :: Downloads Panel, defect, P3)

Product:
Firefox
Component:
Downloads Panel
Version:
58 Branch
Type:
defect
Points:
3

Tracking

()

People

(Reporter: qab, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-disclosure, privacy, sec-low, Whiteboard: [fingerprinting][tor])

Attachments

(1 file, 2 obsolete files)

PoCDL.html
2.25 KB, text/html
Details
Attached file PoCDL.html
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Steps to reproduce: Drag and dropping downloaded files into attacker controlled web page exposes OS username by reading 'text/uri-list' which contains full path to file which includes the OS name. PoC attached, open and follow instructions. Actual results: 'text/uri-list' contains OS username (assuming by default the download points to the /Downloads/ folder) Expected results: 'text/uri-list' should be cleared from containing full path.
Doesn't seem like we do this for normal files. Paolo, why does this happen for downloads, and can we avoid it?
Component: Untriaged → Downloads Panel
Flags: needinfo?(paolo.mozmail)
This is where we currently set the text/uri-list and text/plain types, in addition to application/x-moz-file: https://dxr.mozilla.org/mozilla-central/rev/f5a1cb52c12e8fbcf2e3b5a675fe2a84d43507a7/browser/components/downloads/content/allDownloadsViewOverlay.js#724-730 https://dxr.mozilla.org/mozilla-central/rev/f5a1cb52c12e8fbcf2e3b5a675fe2a84d43507a7/browser/components/downloads/content/downloads.js#1027-1033 Support for text/uri-list and text/plain was added for Linux in bug 567377. Jan, do you know if there is another approach we could take, maybe extending drag-and-drop support for "application/x-moz-file"? I don't know the consequences of removing "text/uri-list" for other platforms though. We could instead consider sanitizing or hiding file URLs when dropping them.
Flags: needinfo?(paolo.mozmail) → needinfo?(jhorak)
I afraid there's no other way to implement dragging files outside of Firefox, like to file manager.
Flags: needinfo?(jhorak)
Assignee: nobody → stransky
We could fix that by stripping the text/uri-list when dropping to the Firefox.
This may be a duplicate of bug 1469083.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Group: firefox-core-security
Keywords: csectype-disclosure, privacy, sec-low
Points: --- → 3
Priority: -- → P3
Blocks: uplift_tor_fingerprinting
Whiteboard: [fingerprinting][tor]
Assignee: stransky → nobody
Status: ASSIGNED → NEW
Depends on: 1628373
No longer depends on: 1628373

Any news on it ?

I found this thread because the Jupyterlab (used by thousands of people) doesn't recognize it, leading to a behavior similar to 1287823. So it not only unsafe, but it breaks applications too.

(In reply to Enzo from comment #8)

Any news on it ?

I found this thread because the Jupyterlab (used by thousands of people) doesn't recognize it, leading to a behavior similar to 1287823. So it not only unsafe, but it breaks applications too.

This doesn't really sound like the same issue. This bug is solely about the privacy risk of including URIs for local files when dropping files on web content, whereas bug 1287823 was about broken drags to the desktop from the downloads panel, which can't have anything to do with the web content. You're better off filing a separate issue with more details about how to reproduce the problem you're referring to.

Severity: normal → S3

I submitted a patch as a WIP, but just want to note one thing, if you enable the newly introduced pref, browser.download.dragUseFileName, it breaks dragging and dropping files to tab bar from downloads. However, it doesn't break dragging and dropping from any other place, despite dragging files from other places also don't include full file paths.

(In reply to Fatih Kilic from comment #11)

I submitted a patch as a WIP, but just want to note one thing, if you enable the newly introduced pref, browser.download.dragUseFileName, it breaks dragging and dropping files to tab bar from downloads. However, it doesn't break dragging and dropping from any other place, despite dragging files from other places also don't include full file paths.

This would also break dropping the path/URL anywhere else. Can we instead censor file URIs in the data transfer code as far as the content process is concerned?

Assignee: nobody → fkilic
Status: NEW → ASSIGNED
Attachment #9427884 - Attachment is obsolete: true
Attachment #9421850 - Attachment is obsolete: true
Assignee: fkilic → nobody
Status: ASSIGNED → NEW
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: