624 bytes, text/html
6.27 KB, patch
|Details | Diff | Splinter Review|
541 bytes, text/html; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.3) Gecko/20041014 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.3) Gecko/20041014 Firefox/0.10.1 Alt + click downloads a link without a prompt. Using dom events, this user feature can be emulated. The result is content from any url may be downloaded to the default downloads folder. Reproducible: Always Steps to Reproduce: 1. Put code in onload event Expected Results: Prompt user, or filter this event.
Created attachment 162651 [details] Example that downloads firefox and extension when hyperlink clicked Could be placed in the onload event.
I think this is a valid concern. It's well-known (at least in security circles) that JS has the ability to trigger downloads, it's also well-known that Firefox downloads without prompt, but at least I didn't realize the combination. It means that you can drop an exe on my desktop and wait for me to be wondering/curious what it is and execute it, me assuming that I put it there and it's sane. So, IMHO, this is a security bug. Implementation: I don't think "blocking" downloads in onload like popups will work. The popup blocker is not designed to be bullet-proof (it's not a security feature, only annoyance prevention), nor do I think it can be. You can always make clicks do both a download/popup and a page change using JS.
Note that this is only promptless if the user has not selected Preferences (or Options) -> Downloads -> Ask me where to save every file. jst, haven't we done something at some point with checking if events were JS-generated or not? I couldn't find the code, but I think we've done it before. I suspect the right place for a nativeness check would be contentAreaClick in browser.js (which in this case calls handleLinkClick, which calls saveURL).
Since, with the default preferences on Windows, this allows an attacker to place a file (potentially executable and with a recognizable name and icon) on the desktop, I think this should block 1.0.
May I broaden this discussion a bit (or new bug)? This whole non-prompt download is dangerous and commonly abused even without JS. Websites pretending to have homework essays or whatever and trying to install 0900 dialers are very common in the wild (at least in Germany), and simply link to an exe instead of the page you expect.
Marking blocking-aviary1.0 per chofmann's request.
What we want here is a check for event.isTrusted (nsIDOMNSEvent::GetIsTrusted()) in the right place(s).
Created attachment 162769 [details] [diff] [review] possible patch This one doesn't crash. It seems to break middle-mouse paste - not sure why. I'm also not sure why aDOMEvent can be null.
Created attachment 162875 [details] [diff] [review] patch We need to set the trusted flag correctly for click events. I'm really wondering how anything that used that before ever worked...
Comment on attachment 162875 [details] [diff] [review] patch r+sr=jst
Comment on attachment 162875 [details] [diff] [review] patch a=asa for branches checkins.
Fix checked in to trunk, 2004-10-22 00:32 -0700. Fix checked in to AVIARY_1_0_20040515_BRANCH, 2004-10-22 00:32 -0700. Fix checked in to MOZILLA_1_7_BRANCH, 2004-10-22 00:33 -0700.
Security Advisories published, clearing confidential flag