+++ This bug was initially created as a clone of Bug #657462 +++ If Java is installed "opening" a .jar file will launch a Java Application, which is definitely not 'web safe'. Since a .jar application can launch executables (among other things) we should mark that as an executable type so that users are forced to download and manually open rather than allow then to open from the download prompt (or worse, set it to auto-open). We should check to see if Java registers any other extensions while we're at it.
Dan, we'll need a reviewed patch for this by 2:00 pm PDT tomorrow...
Created attachment 537789 [details] [diff] [review] Add .jar and .air to Windows executable list Require Java and Air bundles to be downloaded and manually run like other executable types.
Attachment #537789 - Flags: review?(benjamin)
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Attachment #537789 - Flags: approval2.0?
Attachment #537789 - Flags: approval2.0+
Attachment #537789 - Flags: approval18.104.22.168?
Attachment #537789 - Flags: approval22.214.171.124+
Attachment #537789 - Flags: approval-mozilla-beta?
Attachment #537789 - Flags: approval-mozilla-beta+
Attachment #537789 - Flags: approval-mozilla-aurora?
Attachment #537789 - Flags: approval-mozilla-aurora+
status1.9.2: wanted → .18-fixed
status2.0: --- → wanted
Pushed to beta: http://hg.mozilla.org/releases/mozilla-beta/rev/80d99dbc8e9e
status-firefox5: affected → fixed
Can someone be super explicit on the testing scenario / STR for QA here? :-)
Whiteboard: [blocks-fx5b5] → [blocks-fx5b5] [qa-examined-192] [qa-needs-STR]
The testcase in bug 657462 is one way to test (that specific example should be mitigated by this fix).
Another more general way to test is to ensure that the Download Manager warns you with the scary prompt before allowing you to double-click-open downloaded .jar/.air files.
Gavin, the testcase in bug 657462 still exhibits its bug with last night's 1.9.2 build (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199pre) Gecko/20110607 Namoroka/3.6.18pre (.NET CLR 3.5.30729)) so this fix doesn't address that.
I downloaded a .jar file from https://github.com/nzakas/cssembed/downloads/ with last night's 188.8.131.52pre build on XP (same one as comment 9) and double-clicking in the download manager briefly shows an hourglass, which then dismisses. Nothing else happens and no additional program opens or prompts.
Didn't this land earlier today? Last night's 1.9.2 build wouldn't have the fix.
I see the warning now in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:184.108.40.206pre) Gecko/20110609 Namoroka/3.6.18pre (.NET CLR 3.5.30729). Verified for 1.9.2.
Whiteboard: [blocks-fx5b5] [qa-examined-192] [qa-needs-STR] → [blocks-fx5b5]
Whiteboard: [blocks-fx5b5] → [sg:critical][blocks-fx5b5]
status-firefox6: affected → fixed
The June m-c landing means this is fixed in Firefox 7, too
status-firefox7: affected → fixed
Target Milestone: --- → mozilla7
qa+ for QA fix verification on Firefox 7.
Whiteboard: [sg:critical][blocks-fx5b5] → [sg:critical][blocks-fx5b5][qa+]
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0) Gecko/20100101 Firefox/7.0 ID:20110922153450 1) https://github.com/downloads/nzakas/cssembed/cssembed-0.4.0.jar 2) http://cloudfront.ambiance.urbanapps.com/airinstaller/Ambiance.1.0.2.air Both files ask me to save the file first. Once downloaded, when I double click them in the Download Manager they open in their respective apps without warning: * .jar opens in WinZip * .air opens in Adobe Air Installer Is this the expected result?
As I recall, once it is downloaded, it is treated as any other downloaded file. The fix is to make sure that your only option is to save the file when you are prompted to download it. From your description, Anthony, this sounds fixed.
Thanks for the clarification, Al. Marking verified fixed.
Status: RESOLVED → VERIFIED
Whiteboard: [sg:critical][blocks-fx5b5][qa+] → [sg:critical][blocks-fx5b5][qa!]
The description of CVE-2011-2372 matches bug 657462 as announced in MFSA 2011-40 so we should stick to that. This one is now CVE-2011-3666
Alias: CVE-2011-2372 → CVE-2011-3666
You need to log in before you can comment on or make changes to this bug.