Closed
Bug 250938
Opened 20 years ago
Closed 20 years ago
Can open EXE files directly from Firefox if MIME type is application/x-msdos-program
Categories
(Toolkit :: Downloads API, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.7.4
People
(Reporter: bugzilla, Assigned: bugs)
References
(Blocks 1 open bug)
Details
(Keywords: fixed-aviary1.0)
Attachments
(6 files)
|
11.57 KB,
image/png
|
Details | |
|
4 bytes,
application/octet-stream
|
Details | |
|
4 bytes,
application/x-msdos-program
|
Details | |
|
4 bytes,
application/x-msdownload
|
Details | |
|
6.75 KB,
patch
|
Details | Diff | Splinter Review | |
|
10.80 KB,
patch
|
Details | Diff | Splinter Review |
Screenshot, taken with the German version of Firefox 0.9.2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7) Gecko/20040707 Firefox/0.9.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7) Gecko/20040707 Firefox/0.9.2 Although it should not be possible to select the "open with [dropdownbox]" option when downloading an .EXE file, you are sometimes able to choose it. I consider this as unsecure and therefore nominate this bug as a blocker for Aviary 1.0. It is probably reproduceable under every version of Windows and is not limited to WinXP only. I believe this problem occurs when the name of the .EXE file contains spaces, but I am not quite sure. Reproducible: Sometimes Steps to Reproduce: 1. select any file ending in .EXE for download 2. notice the popup box to allow you to select "open with". Actual Results: the download started and the program file opened immediately after it was finished without further notice. Expected Results: the option "open with" should have been blocked, as it is intended.
|
||
Comment 2•20 years ago
|
||
It appears that the MIME type application/x-msdos-program does not trigger the 'safe handling of exe files' mode. We need to fix that.
Blocks: 249951
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.0RC1+
Flags: blocking-aviary1.0?
Flags: blocking-aviary1.0+
Summary: Sometimes, it is possible to select "open with" when downloading .EXE files → Can open EXE files directly from Firefox is MIME type is application/x-msdos-program
|
|
||
Updated•20 years ago
|
Summary: Can open EXE files directly from Firefox is MIME type is application/x-msdos-program → Can open EXE files directly from Firefox if MIME type is application/x-msdos-program
|
|
||
Comment 3•20 years ago
|
||
For me the severity of the bug is somewhat lessened because although I'm allowed to select Open with exefile, it doesn't actually work. At the end of the download instead of exectuing the file, it pops up an error saying that the file could not be opened, because an unknown error occured. However, we can't be sure this will happen for all files, clearly the reporter's testcase file did exectute for him. So we still need to fix the bug and add application/x-msdos-program to the list of MIME types treated as executable files.
|
|
||
Comment 4•20 years ago
|
||
For those who are wondering, http://www.ebrahim.org/mozilla/firefox/bugs/250938/foo.exe is a file that contains the characters "bar" in them. Nothing more. It doesn't actually do anything.
|
|
||
Updated•20 years ago
|
Assignee: bugs → bmo
|
|
||
Updated•20 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → Firefox1.0beta
|
|
||
Comment 5•20 years ago
|
||
|
|
||
Comment 6•20 years ago
|
||
|
|
||
Comment 7•20 years ago
|
||
|
|
||
Comment 8•20 years ago
|
||
I've created the attachments of the three cases where we should be detecting EXE files. Currently we handle application/octet-stream and application/x-msdownload correctly, only application/x-msdos-program isn't detected. I've added attachments to this bug for easy testing. If anyone knows of any more cases where we should be blocking direct execution from Firefox, please list the MIME types here for evaluation.
|
|
||
Comment 9•20 years ago
|
||
This patch creates a local function isWin32MIMETypeExecutable(mimeType) in each file where the MIME types of stuff that we shouldn't allow the user to open from Firefox. This makes the code more readable (and hopefully easier to maintain). It also fixes a mistake in /mozilla/toolkit/mozapps/downloads/content/editAction.js where one of the blocked MIME types is application/object-stream, which doesn't exist. It corrects and changes it to application/octet-stream.
|
|
||
Updated•20 years ago
|
Attachment #153110 -
Flags: review?(mconnor)
|
Assignee | |
Comment 10•20 years ago
|
||
Halt. I have a variant coming that is a little more complete.
|
|
Assignee | |
Comment 11•20 years ago
|
||
This may be technically incorrect since it assumes all files with .exe (etc) names no matter what the content type are executables but who misnames files like this anyway... Also, removes the menulist when there's no default handler and substitutes a "Browse..." button. The menulist reappears when a handler is selected.
Assignee: bmo → bugs
|
|
||
Updated•20 years ago
|
Attachment #153110 -
Flags: review?(mconnor)
|
||
Comment 12•20 years ago
|
||
I believe this bug is also present in Mozilla: bug 236967
|
|
Assignee | |
Comment 13•20 years ago
|
||
I checked this fix in, branch and trunk.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
||
Updated•20 years ago
|
Keywords: fixed-aviary1.0
|
||
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•