Closed
Bug 289662
Opened 20 years ago
Closed 16 years ago
Remembering an enablePrivilege decision for a local file will apply to all future local files
Categories
(Core :: Security: CAPS, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: morac, Assigned: dveditz)
References
Details
(Whiteboard: [sg:moderate])
Attachments
(1 file)
|
280 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
When a user loads a page that begins with the file:// URI and it contains the
enablePrivilege command a security dialog box will pop up.
If the users chooses the remember decision box, then that decision (either ALLOW
or DENY) will apply to any URL starting with file:// once the browser is shut
down and restarted. Until the browser is closed the browser will continue to
pop up a security dialog for new files (these can be remembered as well), but
after the browser is closed and restarted the browser will stop asking for local
files.
For each local page that the user "remembers", an entry will be added to the
prefs.js in the user's profile with the lines:
user_pref("capability.principal.codebase.p#.XXXXX", "priviledge");
user_pref("capability.principal.codebase.p#.id", "file://");
where # is a number, XXXXX is allow or deny and priviledge is the priviledge.
If the "file://" in the prefs.js is manually changed to the actual URL of the
local file, then the priviledge will only apply to that specific file and all
other URLs that being with file:// will pop up the security dialog.
The browser should probably store the entire URL for local files because a user
might want to grant access to a specific file, but not every file on their
system. This is also a security risk since the user might think he is granting
access only to that specific file, but in reality is granting access to all
local files.
Reproducible: Always
Steps to Reproduce:
1. Create a file containing the javascript code
netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead');
and store it somewhere on the local computer (eg: c:\test\test2\file.html)
2. Open this file in the browser (I used Firefox 1.0.2) and a security dialog
will pop up.
3. Choose allow (or deny) and check the remember box.
4. Close the browser
5. Copy the file created in #1 to some other location on your hard drive or
create a new file that accesses the UniversalBrowserRead privilege.
6. Start the browser and open the copied/new file.
Actual Results:
Which ever action that was chosen for the original file (allow or deny) will
apply to the new file as well as any other local files in the future that uses
the same priviledge (UniversalBrowserRead in this case).
Expected Results:
Opening the new file (or any local file) should have brought up the security
dialog box, when the enablePriviledge('UniversalBrowserRead') instruction was hit.
|
Assignee | |
Comment 1•20 years ago
|
||
The default settings will not allow unsigned code to bring up the permission
dialogs at all, every request is silently denied. You must have set the
dangerous for-testing-only codebase principals pref.
This is an overly-broad grant, though. Better even not to remember file://
principals at all, this setting is just for testing after all.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:fix]
|
Reporter | |
Comment 2•20 years ago
|
||
I didn't set the "signed.applets.codebase_principal_support" preference. It was
still set to false when I ran the test. Apparently it does not apply to local
files.
I just created a file as described at
http://www.mozilla.org/projects/security/components/jssec.html#privs
in order to do a XMLHTTPRequest.
I just retested by creating a brand new profile and I recreated the problem.
I even tried loading the nightly trunk build of Firefox, creating a new profile
and got the same exact results.
Basically local scripts ignore the principal_support pref and once a user
allows/denys access to a local file, the same acess will apply to all local
files once the browser is restarted.
|
|
Reporter | |
Comment 3•20 years ago
|
||
1. Save this attachment to your PC and load the page. You will get a security
pop-up regardless of what your preference settings are.
2. Select remember preference and close the browser.
3. Move the page to another area on your drive and open it again. You won't be
prompted again.
|
|
Reporter | |
Comment 4•20 years ago
|
||
Also I'd rather have it remember decisions on specific local files than remove
the ability to remember decisions altogether since I have a script that
literally makes 100 connections and it would be near useless if I had to hit the
"allow" button a hundred times.
|
||
Comment 5•20 years ago
|
||
Is it possible to fix this without fixing bug 230606 first? My guess is that
it's not.
|
||
Comment 6•20 years ago
|
||
We'd take this fix if we get it (perhaps with 230606's), but not blocking the beta.
Depends on: 230606
Flags: blocking1.8b4-
|
|
||
Updated•20 years ago
|
Whiteboard: [sg:fix] → [sg:moderate]
|
|
||
Comment 7•20 years ago
|
||
*** Bug 330792 has been marked as a duplicate of this bug. ***
|
||
Updated•16 years ago
|
QA Contact: caps
|
|
Assignee | |
Comment 8•16 years ago
|
||
This was effectively fixed by bug 230606
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•