1493026 - Creates Full control DACL for Administrators, System, and current user on new downloads

Status: NEW

(Toolkit :: Downloads API, defect, P5)

Description

[mb]

Attachment: ContextMenu64_2018-09-20_15-25-04.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Steps to reproduce:

1. Set inheritable permissions on a non-admin download folder to not grant execute access on any files in that folder. 

2. Ran Firefox as that non-admin user. 

2. Downloaded a file into download folder



Actual results:

The newly downloaded file has the expected inherited permissions plus three new Full control permissions for System, local administrators group, and current user. 


Expected results:

File should only have inherited permissions, not created any new non-inherited ACLs.

Comment 1

[u554753]

I think this may be a Widget: Win32 issue due to having to change Win admin settings. Please correct if this is not the right component. Thanks.

Comment 2

[mb]

The exact code is here:
https://dxr.mozilla.org/mozilla-central/source/ipc/mscom/MainThreadRuntime.cpp#209

Note the comment: 
  // Grant access to SYSTEM, Administrators, the user, and when running as the
  // browser process on Windows 8+, all app containers.

Comment 3

[(No longer employed by Mozilla) Aaron Klotz]

(In reply to mb from comment #2)
> The exact code is here:
> https://dxr.mozilla.org/mozilla-central/source/ipc/mscom/MainThreadRuntime.
> cpp#209
> 
> Note the comment: 
>   // Grant access to SYSTEM, Administrators, the user, and when running as
> the
>   // browser process on Windows 8+, all app containers.


That code is specifically for the DACL applied to incoming COM execution requests. That should not be applied directly to downloaded files.