Closed Bug 1517934 Opened 2 years ago Closed 2 years ago

DOS when trying to open an pdf file (loads new tabs all the time)

Categories

(Firefox :: PDF Viewer, defect)

64 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 167320

People

(Reporter: thomas.pointhuber, Unassigned)

Details

Attachments

(3 files)

Attached image firefox_pdf_dos.PNG
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0

Steps to reproduce:

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0 (It reproduces on nightly)

open a link to an PDF file like https://che.org.il/wp-content/uploads/2016/12/pdf-sample.pdf


Actual results:

noticing that firefox loads new (emtpy) tabs pointing to a local directory (e.g. file:///C:/Users/elekt/AppData/Local/Temp/pdf-sample.pdf) all the time. This makes the current firefox session unusable and requires me to close the program (including loossing all currently open tabs/work)


Expected results:

Open the PDF and show it to me. Under no circumstances open more than one new tab.

I would score the issue as security issue of low impact (denial-of-service which can be resolved by the user). By filling out the CVSS table in a pragmatic manner I got a minimum CVE score of 4.3

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
(In reply to Thomas Pointhuber from comment #0)
> open a link to an PDF file like
> https://che.org.il/wp-content/uploads/2016/12/pdf-sample.pdf
> 
> 
> Actual results:
> 
> noticing that firefox loads new (emtpy) tabs pointing to a local directory
> (e.g. file:///C:/Users/elekt/AppData/Local/Temp/pdf-sample.pdf) all the
> time.

I can't reproduce. It just opens the PDF in the relevant tab. Tested on Mac Nightly on a clean profile. Does the PDF sample contain a Windows path that it forces a redirect to, or something? Or are you seeing this on other OSes as well?

Can you check on a clean Firefox profile? ( https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles )
Flags: needinfo?(thomas.pointhuber)
Same, I cannot reproduce on nightly
Component: Untriaged → PDF Viewer
It reproduces only in my active Windows Profile. Not with a clean profile and not on my Linux system.

I deactivated all plugins and was able to reproduce it on my default profile. What is the desired way to find out what configuration option the issue likely causes?
Flags: needinfo?(thomas.pointhuber)
(In reply to Thomas Pointhuber from comment #3)
> It reproduces only in my active Windows Profile. Not with a clean profile
> and not on my Linux system.
> 
> I deactivated all plugins and was able to reproduce it on my default
> profile. What is the desired way to find out what configuration option the
> issue likely causes?

You can post a copy of about:support for your current profile to this bug (help > troubleshooting information > copy raw data to clipboard).

You could also try yourself to e.g. create a new profile, copy `prefs.js` over from your default profile to the new profile, and check if that allows you to reproduce in that profile or not, but it might be something more tricky than that that is stored elsewhere, like default handler association. Paolo, what files would need checking/copying to test that latter hypothesis?
Flags: needinfo?(thomas.pointhuber)
Flags: needinfo?(paolo.mozmail)
Attached file about:support
Flags: needinfo?(thomas.pointhuber)
(In reply to :Gijs (he/him) from comment #4)
> Paolo, what files would need checking/copying to test that latter hypothesis?

You would need to copy the file named "handlers.json" in the profile directory. Some of the settings stored in this file can also be edited from the "Options > General > Files and Applications > Applications" list.
Flags: needinfo?(paolo.mozmail)
(In reply to :Paolo Amadini from comment #6)
> (In reply to :Gijs (he/him) from comment #4)
> > Paolo, what files would need checking/copying to test that latter hypothesis?
> 
> You would need to copy the file named "handlers.json" in the profile
> directory. Some of the settings stored in this file can also be edited from
> the "Options > General > Files and Applications > Applications" list.

Hm. Yeah, Thomas, could you attach that file (from the profile where this happens) to the bug? (It's JSON so it should be easy to check there's nothing personal in there; feel free to censor parts of disk paths or similar)

In the about:support data, I do see "plugins.disable_full_page_plugin_for_types", but I don't think that on its own explains this... It also looks like we don't report modified pdfjs prefs in about:support; can you check in about:config in the broken/default profile if any prefs starting with "pdfjs." are changed? (they'll appear bold, you can copy/paste things via the context menu)
Flags: needinfo?(thomas.pointhuber)
Attached file handlers.json
Overwriting the handlers.json of a clean Profile reproduces the problem on my system.
Flags: needinfo?(thomas.pointhuber)
(In reply to Thomas Pointhuber from comment #8)
> Created attachment 9034705 [details]
> handlers.json
> 
> Overwriting the handlers.json of a clean Profile reproduces the problem on
> my system.

OK. It looks like PDF is set to open using "system default". On your Windows systems, are PDFs set up to open in Firefox in some way / some part of the registry?
Flags: needinfo?(thomas.pointhuber)
That is, I suspect this may be a dupe of bug 167320...
> are PDFs set up to open in Firefox in some way / some part of the registry?

According to windows settings, PDF-File open by default in Firefox. Changing it to Microsoft Edge fixes the bug, but this is not my desired behavior ^^.

Changing "mimeTypes.application/pdf.action" in "handlers.json" from 4 to 3 solved the issue for me.
Flags: needinfo?(thomas.pointhuber)
(In reply to Thomas Pointhuber from comment #11)
> > are PDFs set up to open in Firefox in some way / some part of the registry?
> 
> According to windows settings, PDF-File open by default in Firefox. Changing
> it to Microsoft Edge fixes the bug,

OK, great, glad we figured this one out. Thanks for all your help.

> but this is not my desired behavior ^^.

Of course. :-)

> Changing "mimeTypes.application/pdf.action" in "handlers.json" from 4 to 3
> solved the issue for me.

Right, you should be able to do this in the UI via the method Paolo described in comment #6 - you could change the dropdown next to PDF to "preview in Firefox" (which it should be set to now, if you set it to 3). I will immediately add that if the system default is Firefox, the difference between "Use Firefox (default)" and "Preview in Firefox" is completely impossible to understand as a user... (even though they do very different things in the backend).

I'll mark this as a duplicate of bug 167320, unhide it (as it'd require attacker control of the target machine to change file associations, and could happen to any file type anyway, and is clearly documented publicly in that bug) and see if I can find time to look into that again...
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 167320
You need to log in before you can comment on or make changes to this bug.