Closed
Bug 416318
Opened 17 years ago
Closed 16 years ago
resource:// traversal allows stealing files from a local page
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: dveditz)
References
Details
(Keywords: verified1.8.1.17, verified1.9.0.2, Whiteboard: [sg:moderate])
Attachments
(1 file)
|
501 bytes,
text/html
|
Details |
trunk has restrictions what local html can access.
this can be bypassed via resource:// traversal:
resource:///%2E%2E%2F%2E%2E%2F..%2F..%2F..%2F..%2F..%2Fproc/self/environ
saves the environment of firefox (containing the salty profile name)
later if the page is opened locally with |file| protocol, the file can
be read.
testcase reads /proc/self/environ (not that |self| is the pid of the
saving firefox)
requires saving a file => sg:moderate
|
Reporter | |
Updated•17 years ago
|
Whiteboard: [sg:moderate]
|
||
Updated•17 years ago
|
Product: Firefox → Core
QA Contact: general → general
|
||
Updated•17 years ago
|
Flags: blocking1.8.1.13?
|
Assignee | |
Updated•17 years ago
|
Depends on: CVE-2007-3073
|
|
Assignee | |
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.9?
Flags: blocking1.8.1.14?
Flags: blocking1.8.1.13?
|
|
Assignee | |
Updated•17 years ago
|
Assignee: nobody → dveditz
|
||
Comment 1•17 years ago
|
||
Not blocking 1.9, but yes blocking 1.9.0.x. Feel free to argue with me.
Flags: wanted1.9.0.x+
Flags: blocking1.9?
Flags: blocking1.9-
|
|
Assignee | |
Updated•17 years ago
|
Flags: blocking1.8.1.15? → blocking1.8.1.15+
|
|
Assignee | |
Updated•16 years ago
|
Flags: blocking1.9.0.1?
Flags: blocking1.8.1.16+
Flags: blocking1.8.1.15+
|
||
Comment 2•16 years ago
|
||
Dan are you working on this? If not can you suggest an alternate?
|
||
Updated•16 years ago
|
Flags: blocking1.9.0.1? → blocking1.9.0.1-
|
|
||
Updated•16 years ago
|
Keywords: fixed1.8.1.17,
fixed1.9.0.2
|
|
Assignee | |
Comment 3•16 years ago
|
||
Fixed by bug 380994 on branches, not yet on mozilla-central
|
||
Comment 4•16 years ago
|
||
Verified on Ubuntu 8.0.4:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008082909 Firefox/3.0.2
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17
In 20017/3.0.2 when I enter resource:///%2E%2E%2F%2E%2E%2F..%2F..%2F..%2F..%2F..%2Fproc/self/environ in the location bar I get a page load error.
In 20016/3.0.1 I was prompted to save a file.
|
|
Assignee | |
Comment 5•16 years ago
|
||
bug 380994 checked in:
http://hg.mozilla.org/mozilla-central/rev/6dad95d60106
http://hg.mozilla.org/mozilla-central/rev/1eccc541661c
Group: core-security
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Updated•16 years ago
|
Flags: blocking1.8.0.15?
You need to log in
before you can comment on or make changes to this bug.
Description
•