Closed Bug 1837514 Opened 2 years ago Closed 1 year ago

Extension sanitization (.lnk, .local) bypass using pipe (|) + "Always ask you where to save files"

Categories

(Firefox :: File Handling, defect, P2)

Product:
Firefox
Component:
File Handling
Version:
Firefox 114
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr115 127+ fixed
firefox126 --- wontfix
firefox127 + fixed
firefox128 + fixed

People

(Reporter: haxatron1, Assigned: enndeakin)

References

(
URL
)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [adv-esr115.12+][fixed by bug 1891234][adv-main127+])

Attachments

(2 files)

download.html
53 bytes, text/html
Details
example.txt
4 bytes, text/plain
Details

+++ This bug was initially created as a clone of Bug #1815204 +++

Weirdly, when "Always ask you where to save files" enabled, it is again possible to bypass filters and save lnk / local / url / scf files in Firefox.

For instance, saving a file named "test.ln||k" with "Always ask you where to save files" gets transformed to a file named "test.ln k.lnk" which is considered a .lnk extension, bypassing the filtering.

(1) Enable "Always ask you where to save files".
(2) Test the download by clicking the link using https://deluxe-remarkable-cacao.glitch.me/

Attached file download.html
Attached file example.txt
Flags: sec-bounty?

This seems to be the case that Windows IFileDialog.setDefaultExtension collapses any spaces that it encounters in the extension.

We could either just replace the spaces with underscores or somesuch just before calling setDefaultExtension. Alternatively we could modify SanitizeExtension to replace illegal characters in the extension with underscores instead of spaces.

(In reply to Neil Deakin from comment #3)

Alternatively we could modify SanitizeExtension to replace illegal characters in the extension with underscores instead of spaces.

This seems reasonable to me. Neil, do you have time to write this patch?

Flags: needinfo?(enndeakin)
Component: Security → File Handling

I looked into this in more detail and the issue is actually because of the line at https://searchfox.org/mozilla-central/rev/ddd233d195a5e4b1c75a972a7fd322947fa1d5e3/widget/windows/nsFilePicker.cpp#461 in AppendFilter() which strips out whitespace from the file extension. This was added by 715129 to handle an unrelated fix, so I am not sure why the whitespace is being removed.

If I remove the whitespace stripping, the extension on the default filename is correct, however it is duplicated. (test.ln k becomes test.ln k.ln k). I could add extra code to remove this duplication although this might be an edge case not worth handling.

Assignee: nobody → enndeakin
Status: NEW → ASSIGNED
Flags: needinfo?(enndeakin)
Severity: -- → S3
Priority: -- → P2

Neil, did your other patch perhaps fix this? Or if not, are you planning a separate patch here?

Flags: needinfo?(enndeakin)

Yes, this was fixed by the other bug.

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(enndeakin)
Resolution: --- → FIXED

Which other bug? bug 1815062?

Flags: needinfo?(enndeakin)

Bug 1891234

Depends on: CVE-2024-5692
Flags: needinfo?(enndeakin)
Group: firefox-core-security → core-security-release
Whiteboard: [fixed by bug 1891234]
Flags: sec-bounty? → sec-bounty+
Whiteboard: [fixed by bug 1891234] → [fixed by bug 1891234][adv-main127+]
Whiteboard: [fixed by bug 1891234][adv-main127+] → [adv-esr115.12+][fixed by bug 1891234][adv-main127+]
QA Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: