Closed Bug 288722 Opened 19 years ago Closed 19 years ago

ContextMenu.imageURL uses content supplied img-src-getter value.

Categories

(Core :: Graphics: Image Blocking, defect)

Product:
Core
Component:
Graphics: Image Blocking
Platform:
x86
Windows ME
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mromarkhan, Assigned: dveditz)

References

Details

(Keywords: fixed-aviary1.0.3, fixed1.7.7, Whiteboard: [sg:fix] spoof)

Attachments

(2 files)

Testcase
184 bytes, text/html
Details
Testcase for object and input[type='image']
620 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.8b2) Gecko/20050401 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.8b2) Gecko/20050401 Firefox/1.0+

Can override an image getter to specify an arbitrary uri.
If user selects context-menu->save image as, the arbitrary uri
is downloaded.
Alright, if words do not suffice:
<img id="x" src="http://www.mozilla.org/images/mozilla-banner.gif" 
onload="this.src getter = function() {return
'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe' };"
/>

Not sure if consider security bug.  Seems like one.

Reproducible: Always

Steps to Reproduce:
1. Load testcase
2. Right click image
3. Select Save Image As
4. Notice exe file is selected

Actual Results:  
Exe file is selected instead of image.

Expected Results:  
I want to save the image not the file.
Thank you.
Attached file Testcase 
Is this a security bug?
Actually problem seems to be contextMenu.imageURL (but what do I know?), since I
notice the image blocker is also fooled.
Component: Security → Image Blocking
Summary: Save Image As downloads img uri specified by img-src-getter property. → ContextMenu.imageURL uses content supplied img-src-getter value.
ImageMap next?
Note, this no longer works on expiremental build relating to bug 289231
"Landing patch from bug 281988 to generate builds for testing purposes. Will be
backed out shortly."

Re [4] I meant Bug 281988 Stop sharing DOM object wrappers between content and
chrome
Testcases work again in the 2005040606 builds from this morning after the bug
281988 patch was backed out. That's ultimately the right thing to do and will
most likely land for 1.1, but needs a bit of work first.

Sorry I forgot to confirm this when I first saw it. We've been busy with bug
289074 and friends :-(
Status: UNCONFIRMED → NEW
Depends on: 281988
Ever confirmed: true
Whiteboard: [sg:fix] spoof
Fixed by bug 289074 and friends on the branches
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Fixed on branches, but bug 281988 has not yet landed on trunk.
Status: RESOLVED → REOPENED
Keywords: fixed-aviary1.0.3, fixed1.7.7
Resolution: FIXED → ---
bug 281988 has landed on trunk for Deer Park Alpha 1
Group: security
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: