Closed
Bug 365781
Opened 18 years ago
Closed 18 years ago
Fake image can redirect in background
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: da.crivelli+bz, Unassigned)
References
()
Details
(Keywords: testcase)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.1) Gecko/20060601 Firefox/2.0.0.1 (Ubuntu-edgy) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; it; rv:1.8.1.1) Gecko/20060601 Firefox/2.0.0.1 (Ubuntu-edgy) A folder stored in a server, with image extension, can make user access a webpage without its "permission", even if the image has no real imagetype. Reproducible: Always Steps to Reproduce: 1.create a folder on a webserver called "img.jpg" (for example) 2.put an index.php inside the folder, with header("location:foosite.foo") 3.link the image on a random website with the <img> tag. Actual Results: User will result as a visitor of foosite.foo, even if the site is not opened by the user. In the sample page, http://dailywars.altervista.org/_altervista_ht/bg.png/viewimage.html , firefox will save a cookie called "FakeImgFirefox", which is set by the page setcookie.php (the actual redirect of bg.png/index.php, which you never visited) Expected Results: as the browser discovers that "bg.png" is not an image, the image fetch should be stopped. This happens even if the page (setcookie.php in the example) sends http headers BEFORE setting the cookie, showing that Firefox loads the entire page. Bug was confirmed also on firefox-3.0a2pre.en-US.linux-i686
Comment 1•18 years ago
|
||
Bug 311742 seems to indicate this is desired behavior, not a bug.
Component: Security → Networking
Keywords: testcase
OS: Linux → All
Product: Firefox → Core
QA Contact: firefox → networking
Version: unspecified → Trunk
Reporter | ||
Comment 2•18 years ago
|
||
Bug #311742 refers to "an inline image served by a script that returns a Location: header with the URL for another image". My report refers to a script that returns a Location: header for a non-image object. This non-image should not be retrieved in full when included in an <img> tag.
Comment 3•18 years ago
|
||
changing this to 1.8 branch (based from build id)
Version: Trunk → 1.8 Branch
Comment 4•18 years ago
|
||
Firefox can't tell whether the target of the redirect is an image without following the redirect. (Remember, file types on the web are specified by mime type, not by extension.) Refusing to follow all redirects for <img> tags would break things, not improve Firefox in any material way, and might even be wrong. Marking as invalid.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 5•18 years ago
|
||
(In reply to comment #4) > Refusing to follow all redirects for <img> tags would break things, not improve > Firefox in any material way, and might even be wrong. not really asking not to follow redirects, which could even be true images, but not to fetch html pages if they are included in an <img> tag, because they would not even be displayed. (you can fetch the mime type and, as you discover it's no image, stop loading, instead of loading the entire "html-included in img tag" page and not displaying it)
Comment 6•18 years ago
|
||
I don't think Mozilla looks for the mime type when it tries to load images, so that wouldn't work.
You need to log in
before you can comment on or make changes to this bug.
Description
•