Closed Bug 144860 Opened 22 years ago Closed 22 years ago

Privacy issue: plugin path is readable

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED DUPLICATE of bug 88183

People

(Reporter: nfl, Assigned: jst)

References

(
URL
)

Details

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc2) Gecko/20020510
BuildID:    2002051009

Plugin paths are readable by Javascript. Inquiring script can observe
installation details. Moreover, if Mozilla or (some of the) plugins are
installed in the user's home directory, the script can guess the user's login name.

Reproducible: Always
Steps to Reproduce:
1.Enable Javascript if it's not enabled.
2.Go to the given URL.

Actual Results:  The script displays the plugin filenames and, with my setup, my
login name, too.

Expected Results:  I think that plugin paths should be hidden from web sites.

Source of the "exploit":

<script>
  loginname = "unknown";
  for (i = 0; i < navigator.plugins.length; i++) {
    filename = navigator.plugins[i].filename;
    document.writeln(filename, "<br>");
    if (filename.substr(0, 6) == "/home/") {
      loginname = filename.substr(6, filename.indexOf("/", 6) - 6);
    }
  }
  document.writeln("<br>Possible login name: <b>", loginname, "</b>");
</script>
Confirmed.  Only the filename and maybe the parent directory should be visible
to web pages.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: PC → All
ISTR this being a dupe of a bug I filed last year some time. Can't seem to find
it now, though.

*** This bug has been marked as a duplicate of 88183 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.