Closed Bug 1440622 Opened 4 years ago Closed 2 years ago
"Content-disposition: attachment" files opened in browser (not saved) can read other files in the temp directory
The clipboard cache file removal has a WIP patch in bug 335545 that seems to have gotten lost. I've pinged Rob. The other stuff is more or less known and covered by bug 803143, I believe. I'll leave it up to the rest of the security team to decide what to do with this bug.
I have just read 803143 and just want to make some distinctions. What is described in 803143 is known behavior and I understand that there are legitimate reasons to allow file:// protocol documents to access files in the same directory. The security issue I am reporting is that when an HTML file is presented for download, clicking "open" in the dialog box causes Firefox to open the file in the temp directory, which is shared by Firefox and other processes. Any scripts in the HTML file could therefore access files created by both Firefox and other programs, as long as they are also created within the Windows temp directory. Mine, for example, opens in C:\Users\adam\AppData\Local\Temp which contains other files "opened" in Firefox, such as PDFs. There could also be other sensitive files in here saved by other programs, depending on what is installed on the user's system. As an example, in a sub-directory of the temp directory I have files that I have copied from my host to VMs in VMWare. The risk is slightly increased because Firefox also opens files when the Windows 8.3 shortname is specified, as demonstrated in the PoC attachment. Sorry if this wasn't clear in the original report.
I agree this is different-enough from bug 803143 to warrant a separate bug. We could easily fix this separately by saving these files into a sub-directory of %temp%. We've been talking about tightening up our behavior generally to match Chrome. We were the first to deviate from historical "all file: is the same origin" behavior and at the time had to be a little more conservative. If we fix bug 803143 then that would be another way to fix this one.
Status: UNCONFIRMED → NEW
Depends on: 803143
Ever confirmed: true
Summary: HTML files opened in browser can read other files in the temp directory → "Content-disposition: attachment" files opened in browser (not saved) can read other files in the temp directory
Whiteboard: [Hide PoC before unhiding bug]
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
You need to log in before you can comment on or make changes to this bug.