Closed
Bug 31650
Opened 24 years ago
Closed 24 years ago
loading local files in a window
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M16
People
(Reporter: norrisboyd, Assigned: security-bugs)
References
()
Details
(Whiteboard: [nsbeta2+])
Attachments
(2 files)
Subject:
Potential bug: loading local files in a window
Date:
Mon, 13 Mar 2000 16:06:50 +0200
From:
Georgi Guninski <joro@nat.bg>
To:
Norris Boyd <norris@netscape.com>
Generally, Mozilla disallows loading local files in a window (links,
META refresh, HTTP redirects, forms, window.open).
But it is possible to circumvent this using <A
HREF="C:\file">C:\file</A> on Windows.
|
Reporter | |
Updated•24 years ago
|
Status: NEW → ASSIGNED
Target Milestone: M15
|
||
Comment 1•24 years ago
|
||
With no sign of progress... and Norris out this week... I'm pushing this to M16 to allow for the M15 branch.
Target Milestone: M15 → M16
|
Assignee | |
Comment 2•24 years ago
|
||
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
|
|
Assignee | |
Comment 3•24 years ago
|
||
Hmm...I've never seen "c:\file" used as an URL before. I'll bet we're not checking URL's in this format correctly. Need to find a Windows machine to test this on. Should be an easy fix.
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 6•24 years ago
|
||
I don't think this exploit works anymore. With a file called c:\Dupe.txt on my drive, I tried an <A HREF="..."> link tag with c:\Dupe.txt, c|\Dupe.txt, file:///c:\Dupe.txt, and file:///c|\Dupe.txt, and all of the above with forward slashes instead of backslashes. With file:/// present, the security manager stops the load, as it should. Without file:///, the load either fails immediately or attempts to prepend the base URL of the page containing the link. I'm marking this WORKSFORME. Cathy, could you please take another look? Start with the testcase HTML page which I'm abbout to attach here and try every weird syntax of C:\ or C|\ URL you can think of. You might also try putting these weird URL's in something besides an anchor tag - like a form, HTTP redirect, META refresh, etc. (see the original bug description).
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
|
|
Assignee | |
Comment 7•24 years ago
|
||
|
||
Comment 8•24 years ago
|
||
|
|
||
Comment 9•24 years ago
|
||
I don't find any way to access the local files, but there is new discover running meta refresh: http://cathyz/bugs/31650_meta_3.html, the browser automaticaly chop 31650_meta_3.html, displaying http://cathyz/bugs/, so the content of the fold are exposed. IE does not do this, it is not displaying anything, to run my test cases, create d:/javascript/test.html on your local disk, I attached test.html go to: http://cathyz/bugs/31650_link.html http://cathyz/bugs/31650_form.html http://cathyz/bugs/31650_window.html http://cathyz/bugs/31650_meta_1.html http://cathyz/bugs/31650_meta_2.html http://cathyz/bugs/31650_meta_3.html
|
|
||
Comment 10•24 years ago
|
||
I find the way to attack the local file http://cathyz/bugs/31650_base.html http://cathyz/bugs/31650_base_2.html http://cathyz/bugs/31650_base_3.html the code is: <html> <base href="file:///d|/javascript/"> <body> <a href="test.html">click here to see if you get the image, if you do, you are l oading local file, that is bad. </a> <p> </body></html> I think this bug is related with bug 35859. fixing either of them might fix both
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
|
|
Assignee | |
Comment 12•24 years ago
|
||
Marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 14•24 years ago
|
||
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in
before you can comment on or make changes to this bug.
Description
•