Closed
Bug 16672
Opened 20 years ago
Closed 20 years ago
[DOGFOOD] JavaScript in HTML email message may read local files
Categories
(Core :: Security, defect, P3)
P3
Tracking
()
VERIFIED
FIXED
M12
People
(Reporter: joro, Assigned: norrisboyd)
References
Details
(Whiteboard: [PDT+] Have fix)
There seems to be a security bug (or design flaw) in Mozilla 5.0 Messenger: As rhp@netscape.com explained me: -------------------------------- When the body of the message is encountered, a new temporary HTML file is written to disk and the following line is added to the XUL document: <html:iframe id="mail-body-frame" type="content-primary" src="file:///C|/TEMP/nsMimeBody.html" border="0" scrolling="auto" resize="yes" width="100%" flex="1"/> ------------------------------- The problem is that the SRC of the IFRAME is the "file:" protocol. This means that the JavaScript code in the body of the message (the IFRAME) has reading access to all documents in the "file:" protocol. This means that email message may read local files. To demonstrate the problem, I suggest the following test case: 1) Create a file "c:\links.html" and put in it an <A HREF=> tag, e.g. : <A HREF="your text">link1</A> 2) Send HTML message to yourself which contains the following javascript code: --- <SCRIPT> s="file"+":///c|/links.html"; a=window.open(s); setTimeout("alert(a.document.links[0].href)",5000); </SCRIPT> ---- (I sent the message with Communicator 4.7) 3) Read the message with Mozilla 5.0 and the HREF of the <A> tag will be displayed in an alert box in a few moments. I tested that with build 1999101608.
|
Assignee | |
Updated•20 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•20 years ago
|
||
Travis says that it should be easier to fix the IFRAME src="file://..." after the WebShell changes land.
|
|
Assignee | |
Updated•20 years ago
|
Whiteboard: waiting for doc loader to land
|
|
Assignee | |
Updated•20 years ago
|
Target Milestone: M12
|
|
Assignee | |
Updated•20 years ago
|
Summary: JavaScript in HTML email message may read local files → [dogfood] JavaScript in HTML email message may read local files
|
|
Assignee | |
Comment 3•20 years ago
|
||
Marking dogfood for analysis by PDT at jar's request.
|
|
Assignee | |
Updated•20 years ago
|
Summary: [dogfood] JavaScript in HTML email message may read local files → [DOGFOOD] JavaScript in HTML email message may read local files
Whiteboard: waiting for doc loader to land → [PDT+]waiting for doc loader to land
Putting on PDT+ radar. But we believe that temp file is not longer being used, thus this bug fixed. rhp?
|
||
Comment 5•20 years ago
|
||
Sorry, the temp file still exists for the body of the message. When you are displaying an email message, you are looking at a XUL document with the body living in an IFRAME. Problem still relevant. - rhp
|
|
Assignee | |
Updated•20 years ago
|
Whiteboard: [PDT+]waiting for doc loader to land → [PDT+] Try for 12/3 -- risky
|
|
Assignee | |
Updated•20 years ago
|
Whiteboard: [PDT+] Try for 12/3 -- risky → [PDT+] Have fix
|
|
Assignee | |
Updated•20 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 6•20 years ago
|
||
Checking in mailnews/mime/emitters/src/nsMimeXULEmitter.cpp; /m/pub/mozilla/mailnews/mime/emitters/src/nsMimeXULEmitter.cpp,v <-- nsMimeXUL Emitter.cpp new revision: 1.47; previous revision: 1.46 done Checking in mailnews/mime/emitters/src/nsMimeXULEmitter.h; /m/pub/mozilla/mailnews/mime/emitters/src/nsMimeXULEmitter.h,v <-- nsMimeXULEm itter.h new revision: 1.12; previous revision: 1.11 done
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in
before you can comment on or make changes to this bug.
Description
•