Closed
Bug 278121
Opened 20 years ago
Closed 17 years ago
crash clicking data: URL containing program [@ js_AllocGCThing]
Categories
(Core Graveyard :: File Handling, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: hjtoi-bugzilla, Unassigned)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
|
267.17 KB,
application/octet-stream
|
Details |
crash clicking data: URL containing program This was reported by Michael Holzt to full-disclosure mailinglist. The original poster mainly reported a security hole in Opera, but he had tested with Mozilla and Firefox as well, which did not behave totally right either. Extracted the Mozilla/Firefox parts here: >The attack works by using an URL scheme like this: > > <a href="data:application/x-msdos-program;base64, > [base64 data]">Click me!</a> > > I've made an example available which embeds putty.exe. The example is about > 500 kByte HTML and is available on XXX. Please do > not spread this URL outside of this list because of the traffic. Feel free > to copy the example to your own webspace. > > My tests with various windows based webbrowsers had the following results: > > - Mozilla 1.5.4 will try to open the "what should i do with that" > file dialog and then hangs. needs to get killed. > > - Firefox 1.0 allows saving of the data to harddisk > (on linux it will also display much rubbish > in the save dialog) When I tested with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217 I got a crash clicking the data URL (before even file handling dialog - so I am not sure if this is the right component). Talkback URL: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=3026440#id I'll attach the testcase as well.
|
Reporter | |
Comment 1•20 years ago
|
||
gzipped HTML file (it was too big otherwise). Save, gunzip, open.
|
||
Comment 2•20 years ago
|
||
Sounds like part of the problem is attempting to show the whole data: url in the dialog... I thought we had existing bugs on that, though.
Whiteboard: DUPEME
|
||
Comment 3•20 years ago
|
||
we should probably use crop="middle" or something on the URL
|
||
Comment 4•20 years ago
|
||
I could not reproduce this bug under Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050112 Firefox/1.0.
|
||
Comment 5•20 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a6) Gecko/20050114 Firefox/1.0+ No crash for me; the file saved as 305m7cpe-1 . I did get this message: WARNING: Write failed (non-fatal), file ../../../../src/xpcom/io/nsInputStreamTee.cpp, line 84
|
||
Comment 6•19 years ago
|
||
(In reply to comment #2) > Sounds like part of the problem is attempting to show the whole data: url in > the > dialog... I thought we had existing bugs on that, though. I'm not finding a dup. shouldn't this be closed, given comment 3 and comment 4?
|
|
||
Comment 7•17 years ago
|
||
=> WFM per comment 4 and comment 5
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
|
||
Updated•13 years ago
|
Crash Signature: [@ js_AllocGCThing]
|
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•