file:///// URL behaves differently with middle mouse button

RESOLVED WORKSFORME

Status

()

Core
Security
RESOLVED WORKSFORME
15 years ago
14 years ago

People

(Reporter: Chris Harper, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

15 years ago
When I make a link using file:///// to a file on our network:

<A HREF="file://///server/directory/file.doc">MyFile</A> it behaves differently
depending upon if I middle-click the link verses if I left-click or right-click
and select "Open in new tab" or "Open in new window". The middle mouse button
works correctly (opens the file in a new tab). All other methods of clicking the
link do nothing (no error message, no action).
what the heck is file:///// (with 5 /) ? I only knew it with 2 or 3...
(Reporter)

Comment 2

15 years ago
See http://bugzilla.mozilla.org/show_bug.cgi?id=107540 for info about the 5 slashes.

Comment 3

15 years ago
The reporter says he is able to get the link to open in a new tab with the
middle click button, and 5 slashes seems like a valid path (Comment 2).

Reporter:  If the link you are clicking is in a file: document also, reporter,
then I have to say WFM, Win 98 daily build 2002053008.  I get an error message
(takes a few seconds).  However, it is possible that something else is happening.

If the link is in a non-file: document (http:, for example), it should be noted
that file: links are not openable (click, open in new tab, open in new window)
from http: documents.  So reporter, if the link you are trying to open is in an
http: document, then it is correct behavior (or at least expected behavior) for
Mozilla to fail with no visible error (there is an error printed on the
JavaScript console in this case).  If you don't like the fact that there is no
visible error message, see Bug 84128.  The real bug, however, does not seem to
be that the link can't be opened with click etc.; it is that the link _can_ be
opened with the middle click shortcut.  (If a file: link is not allowed to be
opened from an http: document normally, then there should not be a way to do so
with the middle click shortcut.)  We need more info from reporter to rule out
(or rule in?) this case.
Reporter, could you please tell us the following:
1) what version of Mozilla you are using
2) the URL of the document from which you are trying to load this link (or at
least the protocol of the document, for example http: or file:)
(Reporter)

Comment 4

15 years ago
1) what version of Mozilla you are using
Mozilla 1.0 Release Candidate 3
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523

2) the URL of the document from which you are trying to load this link (or at
least the protocol of the document, for example http: or file:)

The URL of the document that contains the link is an HTTP link on our internal
wiki: "http://intellijet2.netjets.com/wiki-moinmoin/moin.cgi/ChrisHarper"

I pulled up the JavaScript console and can see errors like the following on
left-click and right-click->Open in new...

"The link to file://///cmhdev01/vol1/shared/Cambridge/cc%20error.doc was blocked
by the security manager.
Remote content may not link to local content."

However, there is no error message with the middle-click - and I get an
immediate file download dialog.
Right.  This is all working as-designed.  Remote content linking to local 
content opens up a number of security holes that are simply not tenable.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → INVALID
(Reporter)

Comment 6

15 years ago
I just want to make sure everyone is on the same page. When you said "This is
all working as-designed." Did you mean that you were already aware of the
problem and that it had already been fixed, or that the bug as described in the
text (middle mouse button rehaves differently than right-click->open in new tab)
is by-design?
Ugh.  Sorry... I misread things...
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
To security.  We should be consistent in this behavior, I think...
Assignee: dougt → mstoltz
Status: UNCONFIRMED → NEW
Component: Networking: File → Security: General
Ever confirmed: true
OS: Windows 2000 → All
QA Contact: benc → bsharma
Hardware: PC → All

Comment 9

15 years ago
I think what I said above still applies:  "The real bug ... is that the link
_can_ be opened with the middle click shortcut."  That is, "consistent behavior"
would be to disallow the middle click (and ctrl click), right?
If this is not happening already, the middle-click shortcut is skipping
CheckLoadURI, I guess. (?)  mstoltz will probably know.
*** Bug 151491 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 11

14 years ago
This has been fixed; can't reproduce it now.
Status: NEW → RESOLVED
Last Resolved: 15 years ago14 years ago
Resolution: --- → FIXED

Comment 12

14 years ago
reopening as no specific patch fixed this bug.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment 13

14 years ago
wfm
Status: REOPENED → RESOLVED
Last Resolved: 14 years ago14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.