Closed Bug 265176 Opened 15 years ago Closed 15 years ago

Javascript allows websites to download content without prompt.

Categories

(Core :: DOM: Events, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla1.8alpha5

People

(Reporter: mromarkhan, Assigned: dbaron)

References

Details

(Keywords: fixed-aviary1.0, fixed1.7.5, Whiteboard: [sg:low] has patch, has approval, needs landing)

Attachments

(3 files, 2 obsolete files)

User-Agent:       Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.3) Gecko/20041014 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.3) Gecko/20041014 Firefox/0.10.1

Alt + click downloads a link without
a prompt.
Using dom events, this user
feature can
be emulated.
The result is content from any url
may be downloaded to the default
downloads folder.

Reproducible: Always
Steps to Reproduce:
1. Put code in onload event


Expected Results:  
Prompt user,
or filter this
event.
Could be placed in the onload
event.
I think this is a valid concern. It's well-known (at least in security circles)
that JS has the ability to trigger downloads, it's also well-known that Firefox
downloads without prompt, but at least I didn't realize the combination. It
means that you can drop an exe on my desktop and wait for me to be
wondering/curious what it is and execute it, me assuming that I put it there and
it's sane. So, IMHO, this is a security bug.

Implementation:
I don't think "blocking" downloads in onload like popups will work. The popup
blocker is not designed to be bullet-proof (it's not a security feature, only
annoyance prevention), nor do I think it can be. You can always make clicks do
both a download/popup and a page change using JS.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Note that this is only promptless if the user has not selected Preferences (or
Options) -> Downloads -> Ask me where to save every file.

jst, haven't we done something at some point with checking if events were
JS-generated or not?  I couldn't find the code, but I think we've done it before.

I suspect the right place for a nativeness check would be contentAreaClick in
browser.js (which in this case calls handleLinkClick, which calls saveURL).
Since, with the default preferences on Windows, this allows an attacker to place
a file (potentially executable and with a recognizable name and icon) on the
desktop, I think this should block 1.0.
Flags: blocking-aviary1.0?
May I broaden this discussion a bit (or new bug)? This whole non-prompt download
is dangerous and commonly abused even without JS. Websites pretending to have
homework essays or whatever and trying to install 0900 dialers are very common
in the wild (at least in Germany), and simply link to an exe instead of the page
you expect.
Marking blocking-aviary1.0 per chofmann's request.
Flags: blocking-aviary1.0? → blocking-aviary1.0+
What we want here is a check for event.isTrusted (nsIDOMNSEvent::GetIsTrusted())
in the right place(s).
Assignee: events → dbaron
Attached patch possible patch (obsolete) — Splinter Review
This one doesn't crash.  It seems to break middle-mouse paste - not sure why. 
I'm also not sure why aDOMEvent can be null.
Attachment #162763 - Attachment is obsolete: true
Whiteboard: has draft patch
Attached patch patchSplinter Review
We need to set the trusted flag correctly for click events.  I'm really
wondering how anything that used that before ever worked...
Attachment #162769 - Attachment is obsolete: true
Comment on attachment 162875 [details] [diff] [review]
patch

r+sr=jst
Attachment #162875 - Flags: superreview+
Attachment #162875 - Flags: review+
Attachment #162875 - Attachment description: possible patch → patch
Attachment #162875 - Flags: approval1.7.x?
Attachment #162875 - Flags: approval-aviary?
Comment on attachment 162875 [details] [diff] [review]
patch

a=asa for branches checkins.
Attachment #162875 - Flags: approval1.7.x?
Attachment #162875 - Flags: approval1.7.x+
Attachment #162875 - Flags: approval-aviary?
Attachment #162875 - Flags: approval-aviary+
Whiteboard: has draft patch → has patch, has approval, needs landing
Fix checked in to trunk, 2004-10-22 00:32 -0700.
Fix checked in to AVIARY_1_0_20040515_BRANCH, 2004-10-22 00:32 -0700.
Fix checked in to MOZILLA_1_7_BRANCH, 2004-10-22 00:33 -0700.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
OS: Windows ME → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8alpha5
This caused bug 265692.
Depends on: 265692
Blocks: 248511
Security Advisories published, clearing confidential flag
Group: security
Depends on: 666604
Whiteboard: has patch, has approval, needs landing → [sg:low] has patch, has approval, needs landing
You need to log in before you can comment on or make changes to this bug.