Closed Bug 16672 Opened 20 years ago Closed 20 years ago

[DOGFOOD] JavaScript in HTML email message may read local files

Categories

(Core :: Security, defect, P3)

x86
Windows 95
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

Details

(Whiteboard: [PDT+] Have fix)

There seems to be a security bug (or design flaw) in Mozilla 5.0 Messenger:
As rhp@netscape.com explained me:
--------------------------------
When the body of the message
is encountered, a new temporary HTML file is written to disk and the following
line is added to the XUL document:

<html:iframe id="mail-body-frame" type="content-primary"
src="file:///C|/TEMP/nsMimeBody.html" border="0" scrolling="auto" resize="yes"
width="100%" flex="1"/>
-------------------------------
The problem is that the SRC of the IFRAME is the "file:" protocol. This means
that the JavaScript code in the body of the message (the IFRAME) has reading
access to all documents in the "file:" protocol.
This means that email message may read local files.

To demonstrate the problem, I suggest the following test case:
1) Create a file "c:\links.html" and put in it  an <A HREF=> tag, e.g. :
<A HREF="your text">link1</A>

2) Send HTML message to yourself which contains the following javascript code:
---
<SCRIPT>
s="file"+":///c|/links.html";
a=window.open(s);
setTimeout("alert(a.document.links[0].href)",5000);
</SCRIPT>
----
(I sent the message with Communicator 4.7)

3) Read the message with Mozilla 5.0 and the HREF of the <A> tag will be
displayed in an alert box in a few moments.

I tested that with build 1999101608.
Status: NEW → ASSIGNED
*** Bug 16521 has been marked as a duplicate of this bug. ***
Travis says that it should be easier to fix the IFRAME src="file://..." after
the WebShell changes land.
Whiteboard: waiting for doc loader to land
Blocks: 12633
Target Milestone: M12
Summary: JavaScript in HTML email message may read local files → [dogfood] JavaScript in HTML email message may read local files
Marking dogfood for analysis by PDT at jar's request.
Summary: [dogfood] JavaScript in HTML email message may read local files → [DOGFOOD] JavaScript in HTML email message may read local files
Whiteboard: waiting for doc loader to land → [PDT+]waiting for doc loader to land
Putting on PDT+ radar.  But we believe that temp file is not longer being used,
thus this bug fixed.  rhp?
Sorry, the temp file still exists for the body of the message. When you are
displaying an email message, you are looking at a XUL document with the body
living in an IFRAME. Problem still relevant.

- rhp
Whiteboard: [PDT+]waiting for doc loader to land → [PDT+] Try for 12/3 -- risky
Blocks: 20870
Whiteboard: [PDT+] Try for 12/3 -- risky → [PDT+] Have fix
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Checking in mailnews/mime/emitters/src/nsMimeXULEmitter.cpp;
/m/pub/mozilla/mailnews/mime/emitters/src/nsMimeXULEmitter.cpp,v  <--  nsMimeXUL
Emitter.cpp
new revision: 1.47; previous revision: 1.46
done
Checking in mailnews/mime/emitters/src/nsMimeXULEmitter.h;
/m/pub/mozilla/mailnews/mime/emitters/src/nsMimeXULEmitter.h,v  <--  nsMimeXULEm
itter.h
new revision: 1.12; previous revision: 1.11
done
Blocks: 21564
Updating QA Contact.
QA Contact: dshea → paw
Marking verified per Norris's comments
Status: RESOLVED → VERIFIED
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
No longer blocks: 20870
No longer blocks: 21564
You need to log in before you can comment on or make changes to this bug.