Closed
Bug 348763
Opened 19 years ago
Closed 19 years ago
treat .application files like .exe files
Categories
(Toolkit :: Downloads API, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.8.1
People
(Reporter: u49640, Assigned: dveditz)
Details
(Keywords: fixed1.8.0.9, fixed1.8.1.1, Whiteboard: [sg:low])
Attachments
(1 file)
|
3.01 KB,
patch
|
dougt
:
review+
jay
:
approval1.8.0.9+
jay
:
approval1.8.1.1+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060710 Firefox/2.0b1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060710 Firefox/2.0b1
a .application file is a link to a potentially unsafe (Dotnet) Applicaton.
Right now Firefox has the option to open them with the default location. Since those .application files can basically execute an arbitrary binary, this should be handled like a .exe file and disallow direct opening.
But Windows will at least show a warning like this
http://www.ondotnet.com/dotnet/2004/10/11/graphics/image008.jpg
to inform the user that this is an (untrusted) app.
(Marking this bug as security-bug, but i'm not sure if this is correct)
Reproducible: Always
|
Assignee | |
Comment 1•19 years ago
|
||
It won't show that warning if it's signed, and borderline legit adware companies can easily get certs (until they clearly step over the line the lawyers are afraid of getting sued if they deny the cert).
Would be easy to fix by adding to the list at http://lxr.mozilla.org/mozilla/source/xpcom/io/nsLocalFileWin.cpp#2355
Doug: what do you think? I'm happy to shepherd this in if we agree this is reasonable.
Assignee: nobody → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8.0.7?
Flags: blocking-firefox2?
|
|
Assignee | |
Updated•19 years ago
|
Flags: blocking1.8.0.7? → blocking1.8.0.7+
btw: while we are at determine dangerous files: wouldn't it be a good idea to use the List from Microsoft's Outlook 2003 to determine which files are dangerous and shouldn't be executeable?
http://office.microsoft.com/en-us/assistance/HA011402971033.aspx
|
||
Updated•19 years ago
|
Flags: blocking-firefox2? → blocking-firefox2+
Target Milestone: --- → Firefox 2
|
|
||
Comment 3•19 years ago
|
||
I think its reasonable to follow the same list as Outlook, with anything additional we already block. dveditz, do you have cycles for doing this?
|
|
Assignee | |
Comment 4•19 years ago
|
||
This syncs our list of executables with the Outlook list of blocked extensions. I'm not sure that's really right, though, we not quite blocking things for the same reason or in the same way. (I used the list from Outlook 2007 rather than 2003, the same plus .msh, .mshxml, and .plg).
I couldn't find any documentation that mentions a .application extension. In some ways our "IsExecutable" check misses the boat entirely. Extensions are important for matching non-executables with their default handler, but actual executables are run because they are in fact executable, regardless of extension. You can rename firefox.exe to xxx.xxx and it will run just fine.
Attachment #235704 -
Flags: review?
|
|
Assignee | |
Updated•19 years ago
|
Attachment #235704 -
Flags: review? → review?(dougt)
|
|
Assignee | |
Comment 5•19 years ago
|
||
I don't think we need to mess with this for 1.8.0.7, moving back to nominated state for re-triage.
Flags: blocking1.8.0.7+ → blocking1.8.0.7?
|
||
Updated•19 years ago
|
Attachment #235704 -
Flags: review?(dougt) → review+
|
|
Assignee | |
Updated•19 years ago
|
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.7?
Flags: blocking1.8.0.7-
|
||
Comment 6•19 years ago
|
||
Dan, can you land this on trunk so we can see it shake out? Looks safe enough to take for 2.0, but kinda confused as to why it's not yet on trunk.
|
|
||
Comment 7•19 years ago
|
||
DVeditz - ping. We are getting close to/past our trunk bake window. So this will get pulled off the FF2 list shortly...
|
|
||
Comment 8•19 years ago
|
||
we don't have enough time for testing this fix - so I'm taking it off the ff2 blocker list.
Flags: blocking-firefox2+ → blocking-firefox2-
|
|
||
Comment 10•19 years ago
|
||
Dan's promised to get this on the trunk - he thinks he might have done so already!
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
|
|
Assignee | |
Updated•19 years ago
|
Whiteboard: needs trunk landing
|
|
Assignee | |
Comment 11•19 years ago
|
||
Checked in on trunk
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: needs trunk landing → needs approval, branch landing
|
|
Assignee | |
Updated•19 years ago
|
Attachment #235704 -
Flags: approval1.8.1.1?
Attachment #235704 -
Flags: approval1.8.0.9?
|
|
||
Comment 12•19 years ago
|
||
Comment on attachment 235704 [details] [diff] [review]
sync with Outlook's blocked files
Approved for both branches, a=jay for drivers.
Attachment #235704 -
Flags: approval1.8.1.1?
Attachment #235704 -
Flags: approval1.8.1.1+
Attachment #235704 -
Flags: approval1.8.0.9?
Attachment #235704 -
Flags: approval1.8.0.9+
|
|
Assignee | |
Comment 13•19 years ago
|
||
Fix checked into 1.8 and 1.8.0 branches
Keywords: fixed1.8.0.9,
fixed1.8.1.1
|
|
Assignee | |
Updated•19 years ago
|
Whiteboard: needs approval, branch landing → [sg:low] needs approval, branch landing
|
|
Assignee | |
Updated•19 years ago
|
Group: security
Whiteboard: [sg:low] needs approval, branch landing → [sg:low]
|
||
Updated•17 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•