290280 - "Open Containing Folder" improperly validates filenames and executes code

Status: RESOLVED DUPLICATE of bug 211894

(Toolkit :: Downloads API, defect)

Description

[Greg Linares]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1

After selecting a file and right-clicking to bring up the option "Open
Containing Folder" in Download manager, Firefox fails to check to validate the
name of the folder.  Example:  if i download files into a folder called
"C:\Storage\" and there just happens to be a file called "C:\storage.exe"
Firefox will immediately execute the executable file without any warnings and
the file will run at the same privlidges as Firefox.

Reproducible: Always

Steps to Reproduce:
1. Select a Folder to download to in Firefox's Options--->Downloads Menu.  ie
"C:\Saved\"
2. Copy an exe to the C:\ directory and name it the same name as the download
folder and add ".exe", ie copy and rename calc.exe to "C:\saved.exe"
3. Download any file
4. Bring up Download manager and right click the downloaded file, and select
"Open Contained Folder"

Actual Results:  
The renamed executable ran without any warnings at the same privlidge level as
Firefox.

Expected Results:  
Validate the file name and opened the folder instead of the executable file.

This could be a security risk for malware/viruses/trojans, its a long shot but
it's still exploitable.

Comment 1

[Mike Shaver (:shaver emeritus)]

You're using a pretty old build, and our testing shows that this was resolved in
Firefox 1.0.1.  Could you try updating and verify that you see the same thing?

Thanks for the report.

(Clearing blocking flags as well.)

Comment 2

[Daniel Veditz [:dveditz] out until Nov 10]

*** This bug has been marked as a duplicate of 211894 ***