Last Comment Bug 404391 - Firefox input and file focus stealing through label
: Firefox input and file focus stealing through label
[sg:moderate] 1.8-branch
: verified1.8.1.12
Product: Core
Classification: Components
Component: Layout: Form Controls (show other bugs)
: 1.8 Branch
: x86 Windows XP
-- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Jet Villegas (:jet)
Depends on: 405299
  Show dependency treegraph
Reported: 2007-11-19 12:46 PST by tha featurizer
Modified: 2008-01-29 20:10 PST (History)
11 users (show)
mtschrep: blocking1.9-
dveditz: blocking1.8.1.12+
dveditz: wanted1.8.1.x+
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

example (158 bytes, text/html)
2007-11-19 12:49 PST, tha featurizer
no flags Details

Description User image tha featurizer 2007-11-19 12:46:28 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20071025 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20071025 Firefox/

It's possible to set focus on a file field if a file field and a text field are both embedded into a single label. Result is that the focus of the textfield gets transfered to the file field, which can result in uploading sensitive files from a users PC.

Reproducible: Always

Steps to Reproduce:
1. goto
2. copy/paste in html file
3. run, type into the text field.
Actual Results:  
focus is set on the file field.

Expected Results:  
focus remaining on the text field.
Comment 1 User image tha featurizer 2007-11-19 12:49:20 PST
Created attachment 289369 [details]
Comment 2 User image :Gavin Sharp [email:] 2007-11-19 13:03:59 PST
What's the exploit? It's already known that it's possible to manually focus the input in an <input type=file> on the branch (you don't need any fancy tricks, users can just tab to it). The previous problems were mainly related to programmatically changing focus as the user types to mislead them into typing something into the input, I'm not sure I see how this issue could be used to do that.
Comment 3 User image tha featurizer 2007-11-19 16:16:06 PST
*sigh* this does exactly the same.

of course it's possible to steal user typed data, no creative mind or what? Think about that for a while, I was kind enough not to release actual code to exploit it. I know about the previous issue, I found the same in MSIE, only differently.

Consider this the first and last post on Bugzilla with such stupid answers, waste of my time.
Comment 4 User image Jesse Ruderman 2007-11-19 16:31:12 PST
You can also obscure the "Browse..." button by covering it, making the file upload control look like a normal text field.  That's been known for a long time.  See bug 57770, for example.

There might be a bug here with how <label> interacts with multiple form fields, but it's not a security hole.
Comment 5 User image Jesse Ruderman 2007-11-19 16:33:03 PST
If you do have an exploit, please do file a new (security-sensitive) bug report with it, so we can know what you're talking about :)
Comment 6 User image :Gavin Sharp [email:] 2007-11-19 16:35:47 PST
(In reply to comment #3)
> *sigh* this does exactly the same.

Exactly the same as what? The previous exploits related to file inputs were based on masking the fact users were typing in filenames (e.g. by selectively changing focus, retargeting events, etc). I don't see a way to do that with this testcase; seems to me like it has the same effect as getting the user to press "tab".

You can call me stupid if you want, but my comment was a question, not an answer. I don't understand why you think this testcase is dangerous, and if you don't want to explain it to me that's up to you, I guess.
Comment 7 User image Gregory Fleischer 2007-11-19 21:45:39 PST
I couldn't tell if a sample exploit had already been submitted by the
original reporter, so I thought I would submit what I had.

Exploit example attached to bug 404451.
Comment 8 User image Mike Schroepfer 2007-11-23 10:46:38 PST
Gregory and tha featurizer - thanks for the info on this bug.  Given the data in bug 404451 I'm removing this bug from the blocking list and we'll evaluate bug 404451 separately.
Comment 9 User image Daniel Veditz [:dveditz] 2008-01-10 21:12:10 PST
Fixed on the 1.8 branch by bug 405299
Comment 10 User image Samuel Sidler (old account; do not CC) 2008-01-29 19:41:30 PST
This bug is verified by the verification in bug 404451 and bug 405299 which show sample exploits for this bug.

Also verified that this testcase now focuses the "Browse" button instead of the text field.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2008012820 Firefox/

Note You need to log in before you can comment on or make changes to this bug.