Last Comment Bug 265176 - Javascript allows websites to download content without prompt.
: Javascript allows websites to download content without prompt.
Status: RESOLVED FIXED
[sg:low] has patch, has approval, nee...
: fixed-aviary1.0, fixed1.7.5
Product: Core
Classification: Components
Component: DOM: Events (show other bugs)
: Trunk
: All All
: P1 normal (vote)
: mozilla1.8alpha5
Assigned To: David Baron :dbaron: ⌚️UTC-7 (busy September 14-25)
: Hixie (not reading bugmail)
Mentors:
Depends on: 265692 666604
Blocks: 248511
  Show dependency treegraph
 
Reported: 2004-10-19 19:48 PDT by Omar Khan
Modified: 2011-06-30 12:18 PDT (History)
9 users (show)
jst: blocking‑aviary1.0+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Example that downloads firefox and extension when hyperlink clicked (624 bytes, text/html)
2004-10-19 19:50 PDT, Omar Khan
no flags Details
possible patch (untested) (4.03 KB, patch)
2004-10-20 15:50 PDT, David Baron :dbaron: ⌚️UTC-7 (busy September 14-25)
no flags Details | Diff | Splinter Review
possible patch (4.78 KB, patch)
2004-10-20 17:03 PDT, David Baron :dbaron: ⌚️UTC-7 (busy September 14-25)
no flags Details | Diff | Splinter Review
patch (6.27 KB, patch)
2004-10-21 12:19 PDT, David Baron :dbaron: ⌚️UTC-7 (busy September 14-25)
jst: review+
jst: superreview+
asa: approval‑aviary+
asa: approval1.7.5+
Details | Diff | Splinter Review
testcase for link opening in new tab and same page (541 bytes, text/html; charset=UTF-8)
2004-10-21 15:34 PDT, David Baron :dbaron: ⌚️UTC-7 (busy September 14-25)
no flags Details

Description Omar Khan 2004-10-19 19:48:11 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.3) Gecko/20041014 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.3) Gecko/20041014 Firefox/0.10.1

Alt + click downloads a link without
a prompt.
Using dom events, this user
feature can
be emulated.
The result is content from any url
may be downloaded to the default
downloads folder.

Reproducible: Always
Steps to Reproduce:
1. Put code in onload event


Expected Results:  
Prompt user,
or filter this
event.
Comment 1 Omar Khan 2004-10-19 19:50:25 PDT
Created attachment 162651 [details]
Example that downloads firefox and extension when hyperlink clicked

Could be placed in the onload
event.
Comment 2 Ben Bucksch (:BenB) 2004-10-19 20:23:02 PDT
I think this is a valid concern. It's well-known (at least in security circles)
that JS has the ability to trigger downloads, it's also well-known that Firefox
downloads without prompt, but at least I didn't realize the combination. It
means that you can drop an exe on my desktop and wait for me to be
wondering/curious what it is and execute it, me assuming that I put it there and
it's sane. So, IMHO, this is a security bug.

Implementation:
I don't think "blocking" downloads in onload like popups will work. The popup
blocker is not designed to be bullet-proof (it's not a security feature, only
annoyance prevention), nor do I think it can be. You can always make clicks do
both a download/popup and a page change using JS.
Comment 3 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2004-10-19 20:31:00 PDT
Note that this is only promptless if the user has not selected Preferences (or
Options) -> Downloads -> Ask me where to save every file.

jst, haven't we done something at some point with checking if events were
JS-generated or not?  I couldn't find the code, but I think we've done it before.

I suspect the right place for a nativeness check would be contentAreaClick in
browser.js (which in this case calls handleLinkClick, which calls saveURL).
Comment 4 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2004-10-19 20:33:52 PDT
Since, with the default preferences on Windows, this allows an attacker to place
a file (potentially executable and with a recognizable name and icon) on the
desktop, I think this should block 1.0.
Comment 5 Ben Bucksch (:BenB) 2004-10-19 20:36:51 PDT
May I broaden this discussion a bit (or new bug)? This whole non-prompt download
is dangerous and commonly abused even without JS. Websites pretending to have
homework essays or whatever and trying to install 0900 dialers are very common
in the wild (at least in Germany), and simply link to an exe instead of the page
you expect.
Comment 6 Johnny Stenback (:jst, jst@mozilla.com) 2004-10-20 15:09:45 PDT
Marking blocking-aviary1.0 per chofmann's request.
Comment 7 Johnny Stenback (:jst, jst@mozilla.com) 2004-10-20 15:16:45 PDT
What we want here is a check for event.isTrusted (nsIDOMNSEvent::GetIsTrusted())
in the right place(s).
Comment 8 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2004-10-20 15:50:12 PDT
Created attachment 162763 [details] [diff] [review]
possible patch (untested)
Comment 9 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2004-10-20 17:03:20 PDT
Created attachment 162769 [details] [diff] [review]
possible patch

This one doesn't crash.  It seems to break middle-mouse paste - not sure why. 
I'm also not sure why aDOMEvent can be null.
Comment 10 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2004-10-21 12:19:56 PDT
Created attachment 162875 [details] [diff] [review]
patch

We need to set the trusted flag correctly for click events.  I'm really
wondering how anything that used that before ever worked...
Comment 11 Johnny Stenback (:jst, jst@mozilla.com) 2004-10-21 15:27:28 PDT
Comment on attachment 162875 [details] [diff] [review]
patch

r+sr=jst
Comment 12 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2004-10-21 15:34:31 PDT
Created attachment 162921 [details]
testcase for link opening in new tab and same page
Comment 13 Asa Dotzler [:asa] 2004-10-21 15:47:50 PDT
Comment on attachment 162875 [details] [diff] [review]
patch

a=asa for branches checkins.
Comment 14 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2004-10-22 00:36:04 PDT
Fix checked in to trunk, 2004-10-22 00:32 -0700.
Fix checked in to AVIARY_1_0_20040515_BRANCH, 2004-10-22 00:32 -0700.
Fix checked in to MOZILLA_1_7_BRANCH, 2004-10-22 00:33 -0700.
Comment 15 Boris Zbarsky [:bz] (TPAC) 2004-10-23 10:26:19 PDT
This caused bug 265692.
Comment 16 Daniel Veditz [:dveditz] 2005-01-24 13:41:13 PST
Security Advisories published, clearing confidential flag

Note You need to log in before you can comment on or make changes to this bug.