1493539 - Firefox Remote Denial Of Service attack using extremely long filenames

Status: RESOLVED DUPLICATE of bug 1438214

(Firefox :: File Handling, defect)

Description

[u614211]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36

Steps to reproduce:

You can try it @ https://reaperbugs.com/
Source: https://gist.github.com/pwnsdx/d20a99c0500d6f05993ef730bef26746


Actual results:

Repeatedly prompt the user to download file that contains enormous filename will hang the main process.


Expected results:

Behavior for download prompts should be more like Chrome where it seems to handle those cases with ease. Preventing websites to download more than one file unless the user say so is probably the way to go. Truncation / rejection of long filename would also be nice to have.

Comment 2

[:Gijs (he/him)]

Maybe there's something we can do about the parent process hang due to the long filenames before we fix the dos with multiple downloads.

Comment 3

[Johann Hofmann [:johannh]]

Isn't this just because of the blob URL handling? If so, we can probably dupe it to bug 1438214.

Comment 4

[:Gijs (he/him)]

(In reply to Johann Hofmann [:johannh] from comment #3)
> Isn't this just because of the blob URL handling? If so, we can probably
> dupe it to bug 1438214.

Oh, I missed that. Yeah, thanks. That bug needs an owner...

Comment 5

[(inactive) Nihanth Subramanya [:nhnt11]]

(In reply to Sabri from comment #0)
> Preventing websites to download more than one file unless the user say so is probably the way to go.

The download spam prevention project is relevant, see bug 1306334.