Closed Bug 245380 Opened 20 years ago Closed 19 years ago

.pl file executed with activestate perl when installed w/out asking

Categories

(Firefox :: File Handling, defect, P4)

Product:
Firefox
Component:
File Handling
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jonathan.williams, Assigned: bugs)

References

(
URL
)

Details

(Whiteboard: [sg:fix]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8

Firefox appears to execute .pl files with perl blindly. This is a Bad Thing,
even if a cruddy application sets up the association in this way.

Reproducible: Always
Steps to Reproduce:
1. Install ActiveState Perl
2. Click a .pl file
Actual Results:  
perl runs

Expected Results:  
prompted to open with perl / save
http://music.calarts.edu/gongcastg2.pl is sent as "audio/x-pn-realaudio", which
is on Firefox's default list of mime types to open with the appropriate app.  (I
guess real uses the .pl extension for playlists.)  It sounds like Firefox is
passing the file to the default app for the *extension* after determining
whether to save/open it based on the *mime type*, creating this security hole.

Ben Goodger introduced Firefox's default mimeTypes.rdf in bug 223333.  

I haven't tried to reproduce this bug.

I don't know whether the hole exists without a default mimeTypes.rdf.  (If the
*user* chooses to always open .ogg files in Winamp, can a site serve a .pl file
as application/ogg and get it executed as a Perl script?)

I don't know whether you can exploit this hole with anything that comes with
Windows, or if it requires the victim to have ActiveState Perl.
Group: security
Flags: blocking0.9?
Whiteboard: security
I'm taking Jesse's comment as confirmation of this bug
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: .pl file executed with activestate perl when installed → .pl file executed with activestate perl when installed w/out asking
Whiteboard: security → [sg:mustfix]
Status: NEW → ASSIGNED
Flags: blocking0.9? → blocking0.9+
I decided I don't just want to prune the entries from mimeTypes.rdf, since
that's unfair to the majority of users that have never heard of activeperl. 

Moving this into 1.0 for more in-depth investigation.
Flags: blocking1.0+
Flags: blocking0.9-
Flags: blocking0.9+
Priority: -- → P4
Jesse wrote me to say that he didn't intend his comments as a confirmation. I
just tried it and cannot reproduce with firefox build 20040607, and I do have
activestate perl installed with the .pl type mapped to perl.

That said, a default value of alwaysAsk=false for *any* useSystemDefault type
seems like a very, very bad thing if I'm understanding those settings correctly.
p4 priority - not a blocker. if a fully reviewed patch materializes, please
nominate for aviary approval.
Flags: blocking-aviary1.0+ → blocking-aviary1.0-
Depends on: 264265
So where is the Firefox-default mimeTypes.rdf?  lxr is just showing the same (empty) 
datasources that SeaMonkey uses as default....
Yes, bug 264265 backed out bug 223333 resulting in an empty default
mimetypes.rdf. I'm not entirely sure what this bug tracks now.
consolidating sg: markings
Whiteboard: [sg:mustfix] → [sg:fix]
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Group: security
You need to log in before you can comment on or make changes to this bug.