Closed Bug 365781 Opened 18 years ago Closed 18 years ago

Fake image can redirect in background

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Version:
1.8 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: da.crivelli+bz, Unassigned)

References

(
URL
)

Details

(Keywords: testcase) 

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.1) Gecko/20060601 Firefox/2.0.0.1 (Ubuntu-edgy)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.1) Gecko/20060601 Firefox/2.0.0.1 (Ubuntu-edgy)

A folder stored in a server, with image extension, can make user access a webpage without its "permission", even if the image has no real imagetype.

Reproducible: Always

Steps to Reproduce:
1.create a folder on a webserver called "img.jpg" (for example)
2.put an index.php inside the folder, with header("location:foosite.foo")
3.link the image on a random website with the <img> tag.
Actual Results:  
User will result as a visitor of foosite.foo, even if the site is not opened by the user. In the sample page, http://dailywars.altervista.org/_altervista_ht/bg.png/viewimage.html , firefox will save a cookie called "FakeImgFirefox", which is set by the page setcookie.php (the actual redirect of bg.png/index.php, which you never visited)

Expected Results:  
as the browser discovers that "bg.png" is not an image, the image fetch should be stopped. This happens even if the page (setcookie.php in the example) sends http headers BEFORE setting the cookie, showing that Firefox loads the entire page.

Bug was confirmed also on firefox-3.0a2pre.en-US.linux-i686
Bug 311742 seems to indicate this is desired behavior, not a bug.
Component: Security → Networking
Keywords: testcase
OS: Linux → All
Product: Firefox → Core
QA Contact: firefox → networking
Version: unspecified → Trunk
Bug #311742 refers to "an inline image served by a script that returns a Location: header with the URL for another image". My report refers to a script that returns a Location: header for a non-image object. This non-image should not be retrieved in full when included in an <img> tag.
changing this to 1.8 branch (based from build id)
Version: Trunk → 1.8 Branch
Firefox can't tell whether the target of the redirect is an image
without following the redirect.  (Remember, file types on the web are specified
by mime type, not by extension.)

Refusing to follow all redirects for <img> tags would break things, not improve
Firefox in any material way, and might even be wrong.

Marking as invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
(In reply to comment #4)
> Refusing to follow all redirects for <img> tags would break things, not improve
> Firefox in any material way, and might even be wrong.

not really asking not to follow redirects, which could even be true images, but not to fetch html pages if they are included in an <img> tag, because they would not even be displayed. (you can fetch the mime type and, as you discover it's no image, stop loading, instead of loading the entire "html-included in img tag" page and not displaying it)
I don't think Mozilla looks for the mime type when it tries to load images, so that wouldn't work.
You need to log in before you can comment on or make changes to this bug.