Closed Bug 1682096 Opened 4 years ago Closed 4 years ago

Allowing to download PDF cross-origin - Race condition

Categories

(Fenix :: General, defect)

Product:
Fenix
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: kirtikumar.a.r, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36/8vfJ8dsw-50

Steps to reproduce:

  1. Visit https://kirtikumarar.com/ff_pdf.html
  2. Copy the pdf link and paste in the field
  3. Click the download

Actual results:

It downloaded a document from cross-origin

Expected results:

It shouldn't download the document from the cross-origin

The test case on the site is taken from:- https://bugzilla.mozilla.org/show_bug.cgi?id=1449898 (Credits:- Wladimir Palant)

OS: Unspecified → Android
Summary: Race condition in PDF Viewer allows circumventing same-origin policy for PDF files → Allowing to download PDF cross-origin - Race condition

When I try this I get a Denial of Service contantly trying to download the PDF file, but they copies are going to MY PHONE and are not readable by your attack page. The problem with the other bug was not that you could download the PDF (that's fine!) but that the attacker's page could read some of it.

Am I doing your testcase wrong?

Flags: needinfo?(kirtikumar.a.r)
See Also: → CVE-2018-5157

The major difference is that Firefox on desktop has a built-in PDF viewer and that's where the bug was. On Android we just hand the PDF off to your phone to find an appropriate app, so it can't communicate back.

Thanks for a detailed explanation, makes sense. And no sir, you aren't doing it wrong. The PDF should be downloaded back-to-back in a loop from cross-origin. But Chrome and its other variants aren't downloading document from cross-origin in Android. What can be the reason they blocked downloading the document from cross-origin like they do in desktop? No, for me I wasn't getting a DoS because I haven't given permission to for downloading yet. Maybe it can lead to DoS due to a big loop but still then the point is how chrome is protecting its user from this type of race conditions and also from downloading the document from cross-origin? Correct me if I'm wrong.

Flags: needinfo?(kirtikumar.a.r)

Tried on:
Google Chrome 87.0.4280.66 (Official Build) (32-bit)
OS Android 9; Redmi Note 5 Pro Build/PKQ1.180904.001

And Firefox: 84.1.0 (Build #2015780659)

A cross-origin download is a legitimate feature. The original bug was not about downloading but reading data across origins using a vulnerability in the PDF viewer. That does not apply here, as Dan has explained.

The lot of dialogs will be addressed as part of bug 1554980 (https://github.com/mozilla-mobile/fenix/issues/16247).

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
Component: Security: Android → General
Group: mobile-core-security
You need to log in before you can comment on or make changes to this bug.