Open Bug 1684947 Opened 4 years ago Updated 1 year ago

Disallow loading file:/// URIs from within the data folder

Categories

(GeckoView :: General, task, P3)

Unspecified
All
task

Tracking

(Not tracked)

People

(Reporter: agi, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-other)

See https://bugzilla.mozilla.org/show_bug.cgi?id=1684761#c6 for context.

Restricted because the context is restricted.

Type: defect → task
Keywords: sec-other
Priority: -- → P1
Severity: -- → S3

Paraphrasing from slack:

The gist of it is that on Android some parts of the file system are considered protected and user processes are not normally allowed to read them (contrast with desktop where a user process has access to much more of the file system, including Firefox's cookie jar, cache, prefs etc).

The file:/// protocol handler happily lets users read from Firefox's internal folders (which are only readable by a Fenix process and root, nothing else), so all it takes is a vulnerability that makes a content website navigate to a local file and we have a data leak.

Bug 1684761 is one case where that happened. To re-enable the file:/// protocol we want to at least be able to unconditionally forbid reading from the app's internal directories (which is what this bug is about), IIRC this is not straightforward because Gecko internally uses the file protocol so it needs access to those private folders.

This bug blocks enabling the file:// protocol on Fenix. Do we have a bug for that?

Flags: needinfo?(agi)

P3 until Fenix decides that they want to support the file:// protocol.

Priority: P1 → P3

We don't need to keep this closed now that the dependent bug has been opened up.

(In reply to Chris Peterson [:cpeterson] from comment #2)

This bug blocks enabling the file:// protocol on Fenix. Do we have a bug for that?

We have this https://github.com/mozilla-mobile/fenix/issues/7546 not sure if that's what you're looking for.

Group: mobile-core-security
Flags: needinfo?(agi)

Tasks should have severity N/A.

Severity: S3 → N/A

The bug dependency chain for opening local PDFs leads here. Has any decision been reached on this functionality?

Flags: needinfo?(cpeterson)

(In reply to zesanup from comment #6)

The bug dependency chain for opening local PDFs leads here. Has any decision been reached on this functionality?

Sorry, no decision has been made. The decision to allow reading local files would happen in bug 1806171. If that is fixed, this bug is specifically about preventing the Firefox app's internal data files from being loaded in the UI.

Flags: needinfo?(cpeterson)
You need to log in before you can comment on or make changes to this bug.