Closed
Bug 275441
Opened 20 years ago
Closed 19 years ago
File download extension spoofing with Content-Type and .ext<space>.<space> (SA12979 variant)
Categories
(Toolkit :: Downloads API, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dveditz, Assigned: dougt)
References
(Depends on 1 open bug)
Details
(Keywords: fixed-aviary1.0.1, fixed1.7.6, Whiteboard: [sg:fix] ETA 2/11)
Attachments
(1 file)
Reporter | ||
Comment 1•20 years ago
|
||
proof of concept attachment 168128 [details] was added to bug 267123 after FF1.0 ship. Moving to a new bug to prevent confusion. Like bug 267122 and 267123 this uses our reliance on Content-Type vs. Window's use of file extension to lay mines for the user to execute later. In this case adding space-dot-space on the end defeats our fix.
Whiteboard: [sg:fix]
Comment 2•20 years ago
|
||
I bet the real problem is that our definition of "extension" doesn't match the Windows definition. I recall that we have some code to strip trailing dots somewhere to deal with a variant of this attack; perhaps that code needs to be a little more involved?
Reporter | ||
Updated•20 years ago
|
Flags: blocking-aviary1.0.1? → blocking-aviary1.0.1+
Updated•19 years ago
|
Assignee: bugs → dougt
Whiteboard: [sg:fix] → [sg:fix] ETA 2/11
Assignee | ||
Comment 4•19 years ago
|
||
dan, I have a patch in bug 267828 that will fix this.
Reporter | ||
Comment 5•19 years ago
|
||
please verify by testing attachment 168128 [details]
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed-aviary1.0.1,
fixed1.7.6
Resolution: --- → FIXED
Comment 6•19 years ago
|
||
Reopening. Testing bug 267828 failed for me and I am still seeing problems on the Aviary 1.0.1 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050221 Firefox/1.0.1 I will attach screenshots of the dialogs I am seeing, the testcases for each are shown as well.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 7•19 years ago
|
||
Reporter | ||
Comment 8•19 years ago
|
||
Clearing fixed flags, this one isn't. bug 267828 does appear fixed, but apparently wasn't sufficient to fix this one.
Depends on: 267828
Keywords: fixed-aviary1.0.1,
fixed1.7.6
Comment 9•19 years ago
|
||
clearing the 1.0.1 flag for this since Firefox 1.0.1 has already shipped.
Flags: blocking-aviary1.0.1+ → blocking-aviary1.0.2?
Reporter | ||
Comment 10•19 years ago
|
||
not blocking 1.0.3
Flags: blocking-aviary1.0.3? → blocking-aviary1.0.3-
Reporter | ||
Comment 11•19 years ago
|
||
This is fixed. You need to get beyond the screenshot and actually "Open With". The executable extension is detected (thanks to bug 267828), the MIME-type-matching extension is added, and the appropriate handler is launched (e.g. image viewer for .gif and windows media player for .avi). If you "save as" the MIME-matching extension is added. In the Mozilla Suite the "open with" happens as described. A "Save As" brings up a standard filepicker with the .bat extension clearly shown, and that's probably good enough for the Suite audience.
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Keywords: fixed-aviary1.0.1,
fixed1.7.6
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: testcase+
Comment 13•18 years ago
|
||
(In reply to comment #12) > http://secunia.com/advisories/12979/ > Hell is anyone out there. If this is fixed, why does Secunia still mark it as partially fixed.
Comment 14•18 years ago
|
||
(In reply to comment #13) > (In reply to comment #12) > > http://secunia.com/advisories/12979/ > > > > Hell is anyone out there. If this is fixed, why does Secunia still mark it as > partially fixed. > Secunia also lists bug 267123 as one of the relevant bugs, hence the "partial fix" status.
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•