download protection bypass on macOS with .inetloc
Categories
(Firefox :: File Handling, defect, P1)
Tracking
()
People
(Reporter: houjingyi647, Assigned: Gijs)
References
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main94+][adv-esr91.3+])
Attachments
(3 files, 1 obsolete file)
295 bytes,
application/xml
|
Details | |
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
331 bytes,
text/plain
|
Details |
firefox Version: 92.0
Operating System: macOS Big Sur, 11.5.2
Vladimir Metnew reported that .fileloc files on macOS can bypass download protection in 2019:https://bugzilla.mozilla.org/show_bug.cgi?id=1596668
However, .inetloc files are similar to .fileloc files and .inetloc is not in blacklist.
When open a .fileloc file in firefox, firefox will warn:" 'test.fileloc' is an executable file. Executable files may contain viruses or other malicious code that could harm your computer. Use caution when opening this file. Are you sure you want to launch 'test.fileloc'? "
But when open a .inetloc file in firefox there is no warning and attacker may execute arbitrary commands.
I provided a test.inetloc which can open calc for test.
Reporter | ||
Comment 1•3 years ago
|
||
https://drive.google.com/drive/folders/1HW7iHrsBeL3J-ACt9mm2Ct13qXN1PrCk?usp=sharing
I also recorded a video and you can see how fiefox handle .inetloc and .fileloc differently.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 2•3 years ago
|
||
This is only a thing because Apple didn't lowercase file://
before doing their checks on inetloc files, right? (cf. https://www.tomsguide.com/uk/news/macos-finder-inetloc-flaw )
That doesn't seem like something for which we should add warnings to all inetloc files now; it'd just be a patch race between us and Apple - but adding this executable warning to the file would be inaccurate in the vast majority of cases (ie non-file://
inetloc files) and isn't that likely to help protect users (if they were gonna click on it anyway...), and only appears if opened from Firefox (not if opened from Finder or other applications). So my impression is that Firefox is not the right place to fix this issue. Dan?
Comment 3•3 years ago
|
||
Clearly Apple doesn't intend this behavior because they do block lowercase file://
, but warning would be both not enough and not always correct.
On the other hand this is a strange file type to be asking someone to download so maybe warning "too much" isn't all that bad? We do treat both .lnk and .url files on Windows as executables, and this file type seems to function like .url files.
Comment 4•3 years ago
|
||
The severity field is not set for this bug.
:Gijs, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 5•3 years ago
|
||
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 6•3 years ago
|
||
Comment on attachment 9245224 [details]
Bug 1731779 - r?dveditz!,dimi!
Beta/Release Uplift Approval Request
- User impact if declined: Potential for security risk through
inetloc
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: See comment 0
- List of other uplifts needed: n/a
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): We're just adding the extension to a bunch of lists, and updating tests accordingly.
- String changes made/needed: Nope
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 7•3 years ago
|
||
Comment 8•3 years ago
|
||
Comment 9•3 years ago
|
||
Comment on attachment 9245224 [details]
Bug 1731779 - r?dveditz!,dimi!
Approved for 94.0b9 and 91.3esr.
Updated•3 years ago
|
Comment 10•3 years ago
|
||
Comment 11•3 years ago
|
||
uplift |
Updated•3 years ago
|
Comment 12•3 years ago
|
||
Reproduced the reported issue as of comment 0 using Firefox 92.0, verified that the Warning message is successfully displayed when downloading the attached testcase using Firefox 94.0b9, latest Nightly 95.0a1 and latest 91 ESR build from treeherder.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 13•3 years ago
|
||
Updated•3 years ago
|
Comment 14•3 years ago
|
||
Updated•3 years ago
|
Reporter | ||
Comment 15•3 years ago
|
||
Hello, could you please acknowledge me as "Hou JingYi (@hjy79425575)" instead of "houjingyi647"? Thank you!
Comment 16•3 years ago
|
||
I've updated the advisories and in the HoF we'll include the link to your twitter account.
Updated•2 years ago
|
Updated•2 years ago
|
Updated•8 months ago
|
Description
•