Closed
Bug 16672
Opened 22 years ago
Closed 21 years ago
[DOGFOOD] JavaScript in HTML email message may read local files
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M12
People
(Reporter: joro, Assigned: norrisboyd)
References
Details
(Whiteboard: [PDT+] Have fix)
There seems to be a security bug (or design flaw) in Mozilla 5.0 Messenger: As rhp@netscape.com explained me: -------------------------------- When the body of the message is encountered, a new temporary HTML file is written to disk and the following line is added to the XUL document: <html:iframe id="mail-body-frame" type="content-primary" src="file:///C|/TEMP/nsMimeBody.html" border="0" scrolling="auto" resize="yes" width="100%" flex="1"/> ------------------------------- The problem is that the SRC of the IFRAME is the "file:" protocol. This means that the JavaScript code in the body of the message (the IFRAME) has reading access to all documents in the "file:" protocol. This means that email message may read local files. To demonstrate the problem, I suggest the following test case: 1) Create a file "c:\links.html" and put in it an <A HREF=> tag, e.g. : <A HREF="your text">link1</A> 2) Send HTML message to yourself which contains the following javascript code: --- <SCRIPT> s="file"+":///c|/links.html"; a=window.open(s); setTimeout("alert(a.document.links[0].href)",5000); </SCRIPT> ---- (I sent the message with Communicator 4.7) 3) Read the message with Mozilla 5.0 and the HREF of the <A> tag will be displayed in an alert box in a few moments. I tested that with build 1999101608.
Assignee | ||
Updated•22 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•22 years ago
|
||
Travis says that it should be easier to fix the IFRAME src="file://..." after the WebShell changes land.
Assignee | ||
Updated•22 years ago
|
Whiteboard: waiting for doc loader to land
Assignee | ||
Updated•22 years ago
|
Target Milestone: M12
Assignee | ||
Updated•22 years ago
|
Summary: JavaScript in HTML email message may read local files → [dogfood] JavaScript in HTML email message may read local files
Assignee | ||
Comment 3•22 years ago
|
||
Marking dogfood for analysis by PDT at jar's request.
Assignee | ||
Updated•22 years ago
|
Summary: [dogfood] JavaScript in HTML email message may read local files → [DOGFOOD] JavaScript in HTML email message may read local files
Whiteboard: waiting for doc loader to land → [PDT+]waiting for doc loader to land
Putting on PDT+ radar. But we believe that temp file is not longer being used, thus this bug fixed. rhp?
Comment 5•22 years ago
|
||
Sorry, the temp file still exists for the body of the message. When you are displaying an email message, you are looking at a XUL document with the body living in an IFRAME. Problem still relevant. - rhp
Assignee | ||
Updated•22 years ago
|
Whiteboard: [PDT+]waiting for doc loader to land → [PDT+] Try for 12/3 -- risky
Assignee | ||
Updated•21 years ago
|
Whiteboard: [PDT+] Try for 12/3 -- risky → [PDT+] Have fix
Assignee | ||
Updated•21 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 6•21 years ago
|
||
Checking in mailnews/mime/emitters/src/nsMimeXULEmitter.cpp; /m/pub/mozilla/mailnews/mime/emitters/src/nsMimeXULEmitter.cpp,v <-- nsMimeXUL Emitter.cpp new revision: 1.47; previous revision: 1.46 done Checking in mailnews/mime/emitters/src/nsMimeXULEmitter.h; /m/pub/mozilla/mailnews/mime/emitters/src/nsMimeXULEmitter.h,v <-- nsMimeXULEm itter.h new revision: 1.12; previous revision: 1.11 done
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in
before you can comment on or make changes to this bug.
Description
•