WMF Files opened with Windows Media Player Plugin

RESOLVED FIXED in mozilla1.8.1

Status

()

Core
Plug-ins
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: Christian Franke, Unassigned)

Tracking

({fixed1.8.1})

Trunk
mozilla1.8.1
x86
Windows XP
fixed1.8.1
Points:
---
Bug Flags:
blocking1.7.13 -
blocking-aviary1.0.8 -
blocking1.8.0.1 -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b

WMF and other *.WM* files are handled by Windows Media Player Plugin if no other MIME type mapping (mimeTypes.rdf, OS-provided) exists.



Reproducible: Always

Steps to Reproduce:
1. Remove any setting for WMF file type in Windows Explorer and SM Preferences
2. Make sure Windows Media Player Plugin is installed and enabled
3. Send yourself a mail with an attached .wmf file (any contents, no need for a real .wmf file)
4. Examine source of received mail
5. Open a local .wmf file in browser

Actual Results:  
Attachment has Content-type: video/x-ms-wm.
Browser opens Media Player for .wmf file.


Expected Results:  
Attachment should have Content-type: application/octet-stream.
Browser should not open any app for a file extension without a MIME type mapping.


Workaround: Add an entry for extension wmf in Preferences|Navigator|Helper Applications

Setting security flag due to WMF vulnerability (shimgvw.dll) reported recently.
(Reporter)

Comment 1

12 years ago
Created attachment 207479 [details] [diff] [review]
Add missing length check in nsPluginHostImpl.cpp:CompareExtensions()

The root of the problem is a missing length check in plugin extension list comparison. One of the lists provided by Media Player is ".wm,*". Due to the bug, this matches all *.wm* files.
*** Bug 321920 has been marked as a duplicate of this bug. ***
Attachment #207479 - Flags: superreview?(jst)
Attachment #207479 - Flags: review+
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9a1?
Flags: blocking1.8.0.1?
Flags: blocking1.7.13?
Comment on attachment 207479 [details] [diff] [review]
Add missing length check in nsPluginHostImpl.cpp:CompareExtensions()

sr=jst
Attachment #207479 - Flags: superreview?(jst) → superreview+
fixed on trunk

Checking in modules/plugin/base/src/nsPluginHostImpl.cpp;
/cvsroot/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp,v  <--  nsPluginHostImpl.cpp
new revision: 1.545; previous revision: 1.544
done
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Flags: blocking1.9a1?
Resolution: --- → FIXED
Attachment #207479 - Flags: approval1.8.1?
Attachment #207479 - Flags: approval1.8.0.1?
Attachment #207479 - Flags: approval1.7.13?
Attachment #207479 - Flags: approval-aviary1.0.8?
This is only marginally security-related (in fact, opening the incorrect handler for .wmf is actually safer than doing the right thing).
Group: security
Flags: blocking1.8.0.1? → blocking1.8.0.1-
Comment on attachment 207479 [details] [diff] [review]
Add missing length check in nsPluginHostImpl.cpp:CompareExtensions()

a- on 1.8.0.1
Attachment #207479 - Flags: approval1.8.1?
Attachment #207479 - Flags: approval1.8.1+
Attachment #207479 - Flags: approval1.8.0.1?
Attachment #207479 - Flags: approval1.8.0.1-
fixed on MOZILLA_1_8_BRANCH
Checking in modules/plugin/base/src/nsPluginHostImpl.cpp;
/cvsroot/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp,v  <--  nsPluginHostImpl.cpp
new revision: 1.532.2.5; previous revision: 1.532.2.4
done
Keywords: fixed1.8.1
Target Milestone: --- → mozilla1.8.1
Flags: blocking-aviary1.0.8?
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-
Comment on attachment 207479 [details] [diff] [review]
Add missing length check in nsPluginHostImpl.cpp:CompareExtensions()

minusing for old branches
Attachment #207479 - Flags: approval1.7.13?
Attachment #207479 - Flags: approval1.7.13-
Attachment #207479 - Flags: approval-aviary1.0.8?
Attachment #207479 - Flags: approval-aviary1.0.8-
You need to log in before you can comment on or make changes to this bug.