Last Comment Bug 670514 - (CVE-2012-1945) Arbitrary File + Directory read via .lnk files on Windows Share
(CVE-2012-1945)
: Arbitrary File + Directory read via .lnk files on Windows Share
Status: VERIFIED FIXED
[sg:high][advisory-tracking+]
: sec-high, verified-aurora, verified-beta
Product: Core
Classification: Components
Component: General (show other bugs)
: Trunk
: x86 Windows XP
: -- normal (vote)
: mozilla15
Assigned To: Brian R. Bondy [:bbondy]
:
Mentors:
Depends on: 833723 751905 751911 754894 761319 781628 867407
Blocks: 803999 862383
  Show dependency treegraph
 
Reported: 2011-07-10 05:38 PDT by Paul Stone
Modified: 2015-03-30 10:38 PDT (History)
17 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
verified
+
verified
+
verified
13+
verified


Attachments
PoC (10.54 KB, application/octet-stream)
2011-07-10 05:38 PDT, Paul Stone
no flags Details
PoC v2 (9.95 KB, application/java-archive)
2011-07-11 02:22 PDT, Paul Stone
no flags Details
Fix for Arbitrary File + Directory read via .lnk files on Windows Share (2.99 KB, patch)
2011-07-21 08:42 PDT, Brian R. Bondy [:bbondy]
bzbarsky: review-
Details | Diff | Splinter Review
Fix for Arbitrary File + Directory read via .lnk files (1.98 KB, patch)
2011-07-29 10:16 PDT, Brian R. Bondy [:bbondy]
dveditz: feedback-
Details | Diff | Splinter Review
Patch v3. (5.20 KB, patch)
2012-03-12 10:42 PDT, Brian R. Bondy [:bbondy]
bzbarsky: review-
Details | Diff | Splinter Review
Patch v4. (4.29 KB, patch)
2012-03-29 06:43 PDT, Brian R. Bondy [:bbondy]
no flags Details | Diff | Splinter Review
Patch v5 (6.08 KB, patch)
2012-04-16 16:27 PDT, Brian R. Bondy [:bbondy]
bzbarsky: review+
Details | Diff | Splinter Review
Patch v6 (5.75 KB, patch)
2012-05-02 08:26 PDT, Brian R. Bondy [:bbondy]
netzen: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review
Test patch. v1. (2.77 KB, patch)
2012-05-02 11:14 PDT, Brian R. Bondy [:bbondy]
bzbarsky: review+
Details | Diff | Splinter Review
Bundled Beta and Aurora patch - this bug + Bug 751905 + Bug 754894 (7.40 KB, patch)
2012-05-18 19:04 PDT, Brian R. Bondy [:bbondy]
netzen: review+
Details | Diff | Splinter Review

Description Paul Stone 2011-07-10 05:38:54 PDT
Created attachment 545068 [details]
PoC

If a user can be persuaded to visit an HTML file hosted on a public Windows share (see below) then that page can use .lnk files to read arbitrary files and directory listings from their machine.

Imagine we have index.html and foo.lnk in the same directory, with foo.lnk pointing to C:\boot.ini. The HTML file is loaded via a file URL then loads foo.link into an iframe. The contents of boot.ini are displayed but document.location of the iframe is still foo.lnk. However, if the outer page tries to access the iframe, it gets a permission denied error as Firefox still seems to realise that the outer page and inner page are from different origins/directories.

The trick is to have two link files:
baz.lnk -> index.html
foo.lnk -> C:\boot.ini

First we load baz.lnk, then replace baz.lnk with foo.lnk. The HTML page then loads baz.lnk (i.e. itself) using XHR or an iframe. Because the url of the requesting page matches the page loaded, Firefox assumes they're the same origin and allows the contents to be read. Both files and directories can be read in this manner. My PoC uses static .lnk files to read some system directories and the Firefox profile.ini file. However it would be possible to traverse the whole filesystem by grabbing a directory listing and then dynamically generating .lnk files on the server.

There are various method to get the user to load content from a public share (e.g. file://///myhost.com/share/index.html):
1. Use a Java applet to force a drop of the URL (see bug 546909) - PoC uses this
2. Put an innocent looking unhyperlinked HTTP url on the page and get the user to copy/paste it into the location bar. When the user has selected the URL, sneakily change the current selection to the file: URL so that gets copied instead (PoC also has this as an alternative option)
3. Possibly send the file URL in an email. I've not really looked into this, but I seem to recall Outlook will open up \\myhost.com\share\index.html in Firefox if it's the default browser.

This attack could either work within an intranet or possibly over the internet providing your ISP/Corporate firewall doesn't block the relevant ports. My ISP does, but I know not all do. I've attached the PoC as a zip file, as I don't currently have anywhere to host this publically. It's been tested on a few Windows XP machines, not sure if Win7 has any extra security measures to prevent things like this.

Finally, this bug was found in my own time, so I promise it won't be blogged, tweeted or publicised in any way before it's fixed.
Comment 1 Paul Stone 2011-07-11 02:22:31 PDT
Created attachment 545139 [details]
PoC v2

Ok, the previous attachment won't work as-is. You need to create the index.lnk and reset.lnk files yourself. The ones in the previous version pointed to the IP of my test VM so they won't work. I've updated the README.txt file with instructions.
Comment 2 Paul Stone 2011-07-20 03:47:20 PDT
A fourth way to get the public share to load is to offer a .lnk file for download over HTTP. Firefox will show the normal save file dialog, allowing the user to either open the shortcut directly or save it to disk. If Firefox is the default browser, then a shortcut pointing to an HTML file will open up the file in Firefox. 

Apart from the the file reading vulnerability, there seems to be a lot of other problems caused by .lnk files and/or connecting to public shares. For example, the Metasplot SMB sniffer module could be used to grab password hashes. It's also possible to create a .lnk to cmd.exe with arguments. Firefox allows you to save and open that shortcut without any of the normal warnings you get for executable files. Granted, you could argue that these are problems with Windows - but Firefox probably shouldn't expose them so easily.
Comment 3 Benjamin Smedberg AWAY UNTIL 2-AUG-2016 [:bsmedberg] 2011-07-20 08:05:24 PDT
Does anyone know whether we can just rip out .lnk file handling altogether?

Brian, welcome to your first security bug! ;-)
Comment 4 Paul Stone 2011-07-20 08:23:22 PDT
I noticed that Chrome seems to rename .lnk files downloaded over HTTP to .download. This prevents Windows from trying to automatically resolve the shortcut - with Firefox the shortcut is resolved as soon as it's downloaded because the Download manager fetches the icon and file size. 

Chrome does allow viewing files on Windows shares via a file:// URL and will follow .lnk files. However it always resolves the filename so the target of the .lnk file is always displayed in the location bar.
Comment 5 Jim Mathies [:jimm] 2011-07-20 10:50:07 PDT
(In reply to comment #3)
> Does anyone know whether we can just rip out .lnk file handling altogether?
> 
> Brian, welcome to your first security bug! ;-)

We seem to treat them as generic files. I placed one up on a web server, clicked on it, was prompted to save as, which I did. Double clicking on that Windows prompted with the standard security dialog about downloaded content then launched the app. 

We have file extension restrictions that bring up the save as dialog on downloads, but I don't think we restrict any specific type of file. Maybe a "rename extension .xyz" filter down in nsExternalAppHandler might be the best bet.
Comment 6 Jim Mathies [:jimm] 2011-07-20 10:51:10 PDT
(In reply to comment #5)
> (In reply to comment #3)
> > Does anyone know whether we can just rip out .lnk file handling altogether?
> > 
> > Brian, welcome to your first security bug! ;-)
> 
> We seem to treat them as generic files. I placed one up on a web server,
> clicked on it, was prompted to save as, which I did. Double clicking on that
> Windows prompted with the standard security dialog about downloaded content
> then launched the app. 
> 
> We have file extension restrictions that bring up the save as dialog on
> downloads, but I don't think we restrict any specific type of file. Maybe a
> "rename extension .xyz" filter down in nsExternalAppHandler might be the
> best bet.

Actually I meant the service - 

http://mxr.mozilla.org/mozilla-central/source/uriloader/exthandler/nsExternalHelperAppService.cpp#2215
Comment 7 Jim Mathies [:jimm] 2011-07-20 10:54:29 PDT
(In reply to comment #4)
> Chrome does allow viewing files on Windows shares via a file:// URL and will
> follow .lnk files. However it always resolves the filename so the target of
> the .lnk file is always displayed in the location bar.

This something we might want to add, but I'd say we should spin it off into another feature related bug. Currently browsing a local share results in the same save as dialog you get for the web, so lnk files in this case don't work anyway with fx.
Comment 8 Paul Stone 2011-07-20 11:45:02 PDT
Just to be clear (and apologies for mixing separate issues in one bug) Firefox will load the target of .lnk files over file:// directly (without a download dialog) if the target is an HTML file, directory or other file type that Firefox can display.
Comment 9 Brian R. Bondy [:bbondy] 2011-07-20 12:41:40 PDT
Thanks Paul, I was able to reproduce the problem as per your README.txt.
Comment 10 Brian R. Bondy [:bbondy] 2011-07-21 08:42:15 PDT
Created attachment 547405 [details] [diff] [review]
Fix for Arbitrary File + Directory read via .lnk files on Windows Share

Everything seems to work now.

The trick is early resolution of the lnk URI into the target path URI before the origins are compared in nsNetUtil.h's NS_SecurityCompareURIs.  

The lnk file cannot be resolved at the time of NS_SecurityCompareURIs because it is too late and the URIs are the same at that point and resolve to the same target.  The best place I could find to do this resolving was in nsDefaultURIFixup::FileURIFixup.

I don't have try server access yet (Bug 671744), but when I do I will make sure it builds on non Windows platforms and passes all tests on all platforms.
Comment 11 Boris Zbarsky [:bz] 2011-07-21 08:58:21 PDT
The attached patch only affects files loaded via the url bar.  Seems like the bug would still be there if the file is loaded via some other means, no?

I don't see how this is a problem for XHR, because XHR should be doing a security check on the link-redirect, unless we've stopped treating these as redirects?

For subframes, though, it's a problem; perhaps the file special-casing in CheckMayLoad should be taught about .lnk files?

> The lnk file cannot be resolved at the time of NS_SecurityCompareURIs 

Why not?  Seems like it sure can.  But see above...
Comment 12 Brian R. Bondy [:bbondy] 2011-07-21 09:35:28 PDT
Thanks for the quick response.  

> bug would still be there if the file is loaded via some other means, no?

I tried from the bookmarks bar, URL bar, and via command line to load the URL and the changed function resolves the path in all of those cases.  Let me know if I missed any cases to try.

> Why not?  Seems like it sure can.

Because at this point the LNK file will resolve to the same target of the replaced file, so if the check was put there, the origin check would return same origin.
Comment 13 Brian R. Bondy [:bbondy] 2011-07-21 09:45:09 PDT
bz, I was working off of the attached proof of concept zip file and its readme file. I'll try the iframe example mentioned above as well and then let you know or submit a new patch.
Comment 14 Boris Zbarsky [:bz] 2011-07-21 09:46:30 PDT
The things you tried are all the same thing: something that passes a string URI into docshell.

Try something like <a href>.

> Because at this point the LNK file will resolve to the same target of the
> replaced file

So the problem is that the principal points to the .lnk file, not what the link resolved to or something?
Comment 15 Boris Zbarsky [:bz] 2011-07-21 09:49:33 PDT
OK, so we do the redirect thing for .url files.  But I assume we treat .lnk files as just normal files and the OS is what does the magic?

In that case the basic issue is that we should be storing the fully-resolved filename somewhere and using it for security checks.... except that may break other things.  dveditz, thoughts?
Comment 16 Brian R. Bondy [:bbondy] 2011-07-21 09:51:28 PDT
> So the problem is that the principal points to the .lnk file, not what the link resolved to or something?

Yes correct.

> Try something like <a href>.

I tried created an html file that had such a link to the lnk but that also hits the changed code.  Maybe there is another way I can get it to not go to the docshell?

> ... I was working off of the attached proof of concept zip file...

It should be the same because the proof of concept simply does an XMLHttpRequest
Comment 17 Brian R. Bondy [:bbondy] 2011-07-21 09:57:26 PDT
Actually sorry, the <a href> does call the function with the lnk file but reproduces the original problem, so I will investigate that more. 

On a side note, with Google Chrome (who doesn't have the problem), and with the patch, when you enter an lnk file it will update the URL bar to the resolved path.

With FF5 it will keep the lnk file as the path in the URL bar.
Comment 18 Brian R. Bondy [:bbondy] 2011-07-21 10:01:45 PDT
> we should be storing the fully-resolved filename somewhere and using it for security checks

Is there any reason we want to preserve the lnk file?
Comment 19 Boris Zbarsky [:bz] 2011-07-21 10:02:00 PDT
> but that also hits the changed code.

The original file does.  But clicking the anchor shouldn't.

Just curious... what's the Unix behavior here with symlinks?  This is really the same issue.  Do we have the same problem there?
Comment 20 Boris Zbarsky [:bz] 2011-07-21 10:02:19 PDT
> Is there any reason we want to preserve the lnk file?

Well, what should relative URIs do?  What should the base be?
Comment 21 Robert Strong [:rstrong] (use needinfo to contact me) 2011-07-21 10:04:30 PDT
(In reply to comment #19)
> > but that also hits the changed code.
> 
> The original file does.  But clicking the anchor shouldn't.
> 
> Just curious... what's the Unix behavior here with symlinks?  This is really
> the same issue.  Do we have the same problem there?
Mac .webloc files are much more similar to Windows .lnk files
Comment 22 Brian R. Bondy [:bbondy] 2011-07-21 10:14:05 PDT
> what's the Unix behavior here with symlinks? 

I think the problem would be present both in mac and linux so the fix did use the platform independent IsSymLink.  I will try those platforms though.

> Well, what should relative URIs do?  What should the base be?

With an <a href> to a relative .lnk file, it goes into the function as the already resolved fully spec'ed HTTP URL. But the fix doesn't work for clicking on links as you mentioned though so maybe this will be a problem in the new location I have a fix in.

> The original file does.  But clicking the anchor shouldn't.

It hits that function when clicking on the anchor with an input URL of the a href target (lnk file).  Not sure why, something from JS.  But as mentioned my patch doesn't fix that case so I will fix it in any case somewhere else.
Comment 23 Boris Zbarsky [:bz] 2011-07-21 10:41:41 PDT
> Not sure why, something from JS. 

So not the actual codepath that leads up to the load, is the point.  Almost certainly the "show the url on hover" code.

I think the right thing to do here is to first figure out what our security policy and relative link behavior should be for the symlink case.  Then we can figure out how to implement that...
Comment 24 Brian R. Bondy [:bbondy] 2011-07-21 10:59:46 PDT
> So not the actual codepath that leads up to the load

Ya, I had just tested initially with a breakpoint on the function but then realized that after.  You were right :)

>  figure out what our security policy and relative link behavior should be for the symlink case

I will wait for dveditz to comment before proceeding on this task.
Comment 25 Paul Stone 2011-07-22 01:48:10 PDT
I just tested this on Linux with symlinks and it does indeed work. However it'd be rather more tricky to exploit than on Windows - lnk files are normal files that can be accessed remotely. Symlinks are a filesystem feature so it would be difficult for an attacker to place one on the user's machine.
Comment 26 Boris Zbarsky [:bz] 2011-07-22 07:10:56 PDT
You can have symlinks on remote filesystems, last I checked.
Comment 27 Paul Stone 2011-07-22 07:32:52 PDT
(In reply to comment #26)
> You can have symlinks on remote filesystems, last I checked.

I guess symlinks would work over an NFS mount, but there's no way (or at least I hope not) to force a user to mount a remote NFS share though Firefox. Firefox does support smb: and sftp: on Gnome now bug 494163 is fixed. However remote symlinks over those protocols would be resolved by the remote filesystem, not the user's system.

Unless there's another way I'm not thinking of? Anyway I guess it's best to resolve symlinks and lnk files in the same way just to simplify things.
Comment 28 Paul Stone 2011-07-22 07:54:01 PDT
Hmm, apparently Samba implements some UNIX extensions which allow remote symlinks: http://wiki.samba.org/index.php/UNIX_Extensions#Minshall.2BFrench_symlinks

I'll have a play and report back.
Comment 29 Boris Zbarsky [:bz] 2011-07-22 08:41:15 PDT
Comment on attachment 547405 [details] [diff] [review]
Fix for Arbitrary File + Directory read via .lnk files on Windows Share

This isn't the right fix.
Comment 30 Brian R. Bondy [:bbondy] 2011-07-29 10:16:19 PDT
Created attachment 549410 [details] [diff] [review]
Fix for Arbitrary File + Directory read via .lnk files

It is fixed now, I think correctly.

- The patch will work in all cases for loads even from a href links.
- If a .lnk URI is detected on the nsFileChannel, the patch will set the original URI to where the source data of the link first came from.  E.g. to the LNK's resolved target.
Comment 31 Boris Zbarsky [:bz] 2011-07-29 10:44:52 PDT
I'd like to understand the answers to my questions in comment 23 before reviewing, please.
Comment 32 Brian R. Bondy [:bbondy] 2011-07-29 10:52:50 PDT
Ok thanks bz, np. 
I think the action item is for dveditz so I will feedback? him on this patch. 
Please let me know if there are any other action items for me before that feedback. 

For normal files I believe the security policy is that they are considered the same origin if they have the same URI.
For symlinks, the security policy was the same as for normal files just mentioned. 

What I think the policy should be for symlinks, and what this fix accomplishes, is that the origin is considered the same if the target of symlinks are the same.  This is because a symlink can point to different resources between requests while having the same URI.
Comment 33 Boris Zbarsky [:bz] 2011-07-29 11:00:47 PDT
> For normal files I believe the security policy is that they are considered the
> same origin if they have the same URI.

There are some complications involving subdirectory loads sourced from a file.  It's not as simple as "same URI".  And once you start talking subdirectories, where your file "really" lives matters.

Also, the relative URI resolution question still needs answering.

(Fwiw, I believe the patch is wrong on its face because it violates the originalURI contract, but I would like to understand what behavior we want before trying to suggest ways to achieve it....)
Comment 34 Brian R. Bondy [:bbondy] 2011-07-29 16:33:55 PDT
Regarding the relative test:

Test case:

1.
file:///C:/a/b/c/test.lnk
Points to:
c:\test.html

2.
Inside test.html you have <a href="test2.html>link</a>

3. 
Does test2.html resolve to:
file:///C:/a/b/c/test2.html
or 
file:///C:/a/test2.html

Windows Results when dropping c:\a\b\c\test.lnk: 
- Chrome12 loads file:///C:/a/test.html clicking on relative link brings you to file:///C:/a/test2.html
- IE9 loads file C:\a\test2.html clicking on relative link brings you to C:\a\test2.html
- Opera11.5 loads file://localhost/C:/a/test.html clicking on relative link brings you to file://localhost/C:/a/test2.html
- Safari5.1: Reveals the path in explorer: C:\a\b\c\test.lnk
- Firefox5: loads file file:///C:/a/b/c/test.lnk (which contains test.html), clicking on link brings you to file:///C:/a/b/c/test2.html
- Firefox Nightly post-patch: loads file file:///C:/a/test.html, clicking on link brings you to file:///C:/a/test2.html

Linux results when dropping /home/bbondy/a/b/c/test.html: (which is a symlink to /home/bbondy/a/test.html)
- Konqueror loads file file:///home/bbondy/a/b/c/test.html, clicking on link brings you to file:///c:/a/b/c/test2.html
- Chrome12 loads file file:///home/bbondy/a/b/c/test.html, clicking on link brings you to file:///c:/a/b/c/test2.html
- Opera11.5 loads file localhost/home/bbondy/a/b/c/test.html, clicking on link brings you to localhost/home/bbondy/a/b/c/test2.html
- Firefox5 loads file file:///home/bbondy/a/b/c/test.html, clicking on link brings you to file:///c:/a/b/c/test2.html

Mac OS X symlinks (ln -s):
- Same as linux as expected

Mac OS X alias files:
- Chrome12: Downloads right away and when you open with Chrome it brings you to file:///Users/bbondy/a/test.html, clicking on link brings you to file://Users/bbondy/a/test2.html
- Opera11.5 downloads the file, when you open with Opera it asks to download it again
- Safari5.1: Opens Finder with the alias selected
- Firefox5: Brings up download dialog for /users/bbondy/a/b/c, select open with firefox, brings you to file:///Users/bbondy//a/test.html, clicking on link brings you to file:///Users/bbondy/a/test2.html

Depending on feedback on security policy we have several possible ways to proceed:
- Change the original URI to be the LNK target URI, which is what the current patch does, (but this is probably not desired, bz mention it violates the originalURI contract)
- Treat lnk as a redirects
- Get the link target's principal via getChannelPrincipal
- Something else

Need to know:
- What the security policy should be
- How relative link behavior should work, as we did before, or as the other browsers do in Windows?
Comment 35 Boris Zbarsky [:bz] 2011-07-29 17:44:47 PDT
I guess the other question is whether we should aim for consistent behavior for .lnk and Unix symlinks or just do what other browsers do and be inconsistent....
Comment 36 Paul Stone 2011-08-11 08:51:04 PDT
Although bug 494163 is fixed, gio integration isn't actually enabled in any Firefox builds I could find (nightlies, Ubuntu or Fedora). So it seems that this bug is currently only exploitable on Windows. That said, I expect gio will be turned on at some point in the future so I suppose the behaviour for symlinks should follow what .lnk does.
Comment 37 Brian R. Bondy [:bbondy] 2011-09-21 08:30:43 PDT
I emailed on Aug 31st for feedback but have not gotten a response yet.
Boris is there someone else we can ask for the needed feedback on this?

Recall, needed feedback is:
- Comment 34 section "Need to know:"
- Comemnt 35
Comment 38 Boris Zbarsky [:bz] 2011-09-21 11:00:37 PDT
> Boris is there someone else we can ask for the needed feedback on this?

I don't know.

Did you send non-bugmail to dveditz already?  If not, could you do that please?
Comment 39 Brian R. Bondy [:bbondy] 2011-09-21 11:03:39 PDT
Ya I've sent a non bugmail one on Aug 31st. Also I've tried to find dveditz on IRC but cannot find him. 

If there's anything else I can do to move this bug forward in the meantime please let me know.
Comment 40 Boris Zbarsky [:bz] 2011-09-21 11:22:05 PDT
Mail Lucas Adamski and ask him to make sure dveditz or someone else on the security team takes a look at this?
Comment 41 Brian R. Bondy [:bbondy] 2011-09-21 11:25:48 PDT
Emailed.
Comment 42 Daniel Veditz [:dveditz] 2011-09-23 13:52:40 PDT
The patch behavior for Windows seems right and consistency with other browsers is a plus. I'm OK with the behavior for Mac alias files, which I suspect this patch doesn't touch in any way (I assume we get the local file URL from the OS after it handles the alias).

The pre-existing behavior for symlinks seems correct. Haven't tested, but this patch looks like it changes that and that seems wrong. I'm perfectly fine treating traditional symlinks one way (as expected by linux users) and treating Windows .lnk files more like a redirect.

Changing the OriginalURI worries me because we rely on that to mean different things in other contexts. It's taking me a while going through the code to reassure myself that it's not going to mess with other cases.

I really wish we simply didn't support UNC paths (I already hear the screaming protests). Our code basically assumes "file:" means "local", but UNC blows a gaping hole in that assumption every time. I'd be OK continuing to pretend mapped drive letters are "local" because at least the user "mounted" it in a way.
Comment 43 Boris Zbarsky [:bz] 2011-09-23 13:55:24 PDT
Changing the original URI is not OK.  We can change the URI and set the "redirected" flag, though.
Comment 44 Daniel Veditz [:dveditz] 2011-09-26 23:10:22 PDT
Comment on attachment 549410 [details] [diff] [review]
Fix for Arbitrary File + Directory read via .lnk files

So bz's last comment is an r- ?
Comment 45 Boris Zbarsky [:bz] 2011-09-26 23:12:02 PDT
I think so, yes, but there was no point worrying about the code details until we had a clear plan for the desired behavior.
Comment 46 Brian R. Bondy [:bbondy] 2011-09-27 06:03:46 PDT
Just finishing up on a silent update task, will get back on this late this week or early next. Thanks for the feedback dveditz/bz.
Comment 47 Brian R. Bondy [:bbondy] 2011-10-24 13:36:59 PDT
Comment on attachment 549410 [details] [diff] [review]
Fix for Arbitrary File + Directory read via .lnk files

Cancelling review for now until I get a new patch with dveditz’s feedback.  I'll have time to look at this again after I focus on the silent update service which we're trying to get in v10.
Comment 48 Paul Stone 2012-02-20 05:09:38 PST
Brian, are you likely to have time to look at this bug soon? If not, is there anyone else who might be able to take it on?
Comment 49 Brian R. Bondy [:bbondy] 2012-02-20 06:04:25 PST
I can retake this bug within the next couple weeks and try a new patch. If you find someone who can do it before that please feel free to re-assign.
Comment 50 Brian R. Bondy [:bbondy] 2012-03-12 10:42:46 PDT
Created attachment 605002 [details] [diff] [review]
Patch v3.

Implemented review comments as per Comment 43.
I think this is the correct handling now. 

Sorry for taking so long to get back to this, I had to re-setup the environment for this bug.  Should there be more review comments to implement, I'll make them my highest priority.
Comment 52 Boris Zbarsky [:bz] 2012-03-28 22:16:44 PDT
Comment on attachment 605002 [details] [diff] [review]
Patch v3.

Why is REDIRECT_INTERNAL involved?  How does that fix the bug?

Shouldn't you just be setting the LOAD_REPLACE load flag?
Comment 53 Brian R. Bondy [:bbondy] 2012-03-29 04:42:39 PDT
> Why is REDIRECT_INTERNAL involved? 

I must have misunderstood Comment 43 when you said: 

> We can change the URI and set the "redirected" flag, though.

Out of the redirect flags I could find, I thought that was the most appropriate one.

> How does that fix the bug?

Setting the flag isn't the part that fixes the bug, setting the URI to the resolved target is.

> Shouldn't you just be setting the LOAD_REPLACE load flag?

I'm very familiar with writing network protocol implementations, but not with mozilla/netwerk code yet, so I don't know the answer to the question. It sounds like you are suggesting that though, so I will attach a patch that way instead.  Thanks for the info.
Comment 54 Brian R. Bondy [:bbondy] 2012-03-29 06:43:13 PDT
Created attachment 610525 [details] [diff] [review]
Patch v4.

The description of LOAD_REPLACE in nsIChannel.idl seems appropriate.
Updated patch as per review comments.
Comment 55 Boris Zbarsky [:bz] 2012-04-05 13:21:25 PDT
I'm sorry for the lag here.  I've been trying to understand why setting the URI to the resolved target but NOT setting LOAD_REPLACE was fixing the bug.  Why is that, exactly?  The principal should be based on the originalURI if LOAD_REPLACE is not set, which should be the .lnk URI, still.

That part really confuses me, and I'd like to understand what's going on with that.  where's the NS_SecurityCompareURIs from comment 10 happening?
Comment 57 Brian R. Bondy [:bbondy] 2012-04-16 16:27:07 PDT
Created attachment 615531 [details] [diff] [review]
Patch v5

So the reason why it was working without the LOAD_REPLACE flag was because SetURI also sets the OriginalURI.  I was calling SetURI with the target of the lnk file.  The real original URI was lost. 

With this new patch, I retain the real original URI and specify LOAD_REPLACE.
I verified that removing the LOAD_REPLACE flag makes it so I can reproduce the original reported issue.
Comment 58 Boris Zbarsky [:bz] 2012-04-17 11:38:40 PDT
Comment on attachment 615531 [details] [diff] [review]
Patch v5

The nsNetUtil code should probably preserve LOAD_REPLACE in all cases, not just for "file" scheme.  That's come up as an issue in the past, actually.

r=me with that changed.  Thank you for hunting down what was going on here!

If you can manage to write a test for this (esp. one that checks the originalURI bit), that would be great.
Comment 59 Brian R. Bondy [:bbondy] 2012-04-18 11:43:37 PDT
Sounds good thanks for the review. 

I'll attach a new patch with the test for review and I'll make the change to preserve the LOAD_REPLACE flag in all cases and carry forward the existing r+ to that.
Comment 60 Brian R. Bondy [:bbondy] 2012-05-02 08:26:17 PDT
Created attachment 620323 [details] [diff] [review]
Patch v6

> The nsNetUtil code should probably preserve LOAD_REPLACE in all cases, 
> not just for "file" scheme.  That's come up as an issue in the past, actually.

Done.  Carrying forward r+.
I'll attach the test patch as a new patch to this bug before landing.
Comment 61 Brian R. Bondy [:bbondy] 2012-05-02 11:14:36 PDT
Created attachment 620384 [details] [diff] [review]
Test patch. v1.
Comment 62 Boris Zbarsky [:bz] 2012-05-02 11:19:25 PDT
Comment on attachment 620384 [details] [diff] [review]
Test patch. v1.

r=me
Comment 64 Brian R. Bondy [:bbondy] 2012-05-03 17:10:54 PDT
I don't think this needs to go in aurora/beta but please let me know if you disagree dveditz.
Comment 65 Daniel Veditz [:dveditz] 2012-05-17 16:38:16 PDT
The bias for high/critical bugs should be to ship them as soon as possible, unless something like patch risk outweighs that good. This does not seem to be a particularly risky patch.

We will need to include the fixes for the two regressions, bug 751905 and bug 754894
Comment 66 Alex Keybl [:akeybl] 2012-05-17 16:41:10 PDT
Given Dan's Comment 65, please nominate for aurora/beta approval and land the patch prior to 5/21.

Also adding qawanted to perform some exploratory testing (once landed) around opening links to files on Windows Shares, to ensure we don't regress anything here.
Comment 67 Brian R. Bondy [:bbondy] 2012-05-17 17:37:31 PDT
Comment on attachment 620323 [details] [diff] [review]
Patch v6

[Approval Request Comment]
Bug caused by (feature/regressing bug #): unknown

User impact if declined: If a user can be persuaded to visit an HTML file hosted on a public Windows share then that page can use .lnk files to read arbitrary files and directory listings from their machine.

Testing completed (on m-c, etc.): The problem seems to be gone and initial regressions have been fixed. 

Risk to taking this patch (and alternatives if risky): I personally think the changes are somewhat risky and this security problem has always been there. I personally don't think this should go in (especially beta), but am requesting because I was asked to by dveditz and akeybl. 

String or UUID changes made by this patch: none

If this is marked for approval on Aurora or Beta I will bundle in the fixes to the regressions found in Bug 751905 and Bug 754894.
Comment 68 Brian R. Bondy [:bbondy] 2012-05-17 17:40:25 PDT
You mentioned this would need to land prior to 5/21.  If possible please let me know as soon as possible because I'll be going away for the long weekend.
Comment 69 Brian R. Bondy [:bbondy] 2012-05-17 17:44:36 PDT
I am working Friday by the way, so I didn't mean today in Comment 68.
Comment 70 Alex Keybl [:akeybl] 2012-05-18 15:33:50 PDT
Comment on attachment 620323 [details] [diff] [review]
Patch v6

[Triage Comment]
Given Brian's concerns, we'll make sure to perform targeted QA around opening links from Windows Shares. Any further guidance in testing would be appreciated.

Approving for Aurora 14 and Beta 13. If landed on 5/22, this can still make it into our next beta.

An ESR patch will need to follow.
Comment 71 Alex Keybl [:akeybl] 2012-05-18 15:34:14 PDT
(In reply to Alex Keybl [:akeybl] from comment #70)
> An ESR patch will need to follow.

(prior to 6/1)
Comment 72 Brian R. Bondy [:bbondy] 2012-05-18 18:37:41 PDT
> Given Brian's concerns, we'll make sure to perform targeted QA around 
> opening links from Windows Shares. Any further guidance in testing 
> would be appreciated.

The change that was somewhat risky in particular was preserving the load replace flag on *all* channels.  The last bug wasn't discovered for 11 days after landing.  The problems could really show up anywhere so I can't come up with any specific guidance for finding regressions.  

QA should also please test to make sure they can reproduce the PoC on a build before this fix, but can no longer reproduce on a build after this fix.
Comment 73 Brian R. Bondy [:bbondy] 2012-05-18 19:04:35 PDT
Created attachment 625333 [details] [diff] [review]
Bundled Beta and Aurora patch - this bug +  Bug 751905 + Bug 754894

Here's the bundled patch. 
Carrying forward beta+ and aurora+ (I can't mark them myself though).  I will probably use it for esr as well if it applies cleanly at a later date before june 1st.
Comment 74 Brian R. Bondy [:bbondy] 2012-05-18 20:26:38 PDT
http://hg.mozilla.org/releases/mozilla-aurora/rev/cf5c4540fe22

I could not push to beta because the tree is closed at this time.  If someone notices it open please feel free to push the change set from aurora to beta as well.  Otherwise I should get to it tomorrow night.
Comment 75 Brian R. Bondy [:bbondy] 2012-05-20 12:42:11 PDT
For anyone following along that doesn't already know, beta is still closed so could not land there still.
Comment 76 Al Billings [:abillings] 2012-05-21 13:36:58 PDT
(In reply to Brian R. Bondy [:bbondy] from comment #75)
> For anyone following along that doesn't already know, beta is still closed
> so could not land there still.

How about ESR?
Comment 77 Brian R. Bondy [:bbondy] 2012-05-21 14:41:46 PDT
Comment 73
Comment 78 Brian R. Bondy [:bbondy] 2012-05-21 15:34:28 PDT
http://hg.mozilla.org/releases/mozilla-beta/rev/7a2c1909e205
Comment 79 Brian R. Bondy [:bbondy] 2012-05-21 17:55:12 PDT
http://hg.mozilla.org/releases/mozilla-esr10/rev/8ef222645a1a
Comment 80 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-22 12:51:08 PDT
Removing qawanted as this will now fall into our daily [qa+] verification bucket. Note to verifiers to use the PoC as well as do some exploratory around Windows shares.
Comment 81 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-22 15:57:45 PDT
@Paul, it's going to take considerable effort for me to get an environment set up to even be able to test this fix. Would you kindly be able to verify the fix in Firefox 13, 14, 15, and latest-mozilla-esr10?
ftp://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla-esr10/
Comment 82 Paul Stone 2012-05-24 05:32:00 PDT
Just wanted to check - Firefox 13 = Beta, 14 = Aurora, 15 = Nightly?
Comment 83 Brian R. Bondy [:bbondy] 2012-05-24 05:36:14 PDT
Yup until June 5th (or close to that day)
https://wiki.mozilla.org/Releases

After June 5th everything shifts one to the left and Nightly becomes 16.
Comment 84 Paul Stone 2012-05-31 01:08:44 PDT
I've confirmed that the POC no longer works in the current ESR, Nightly, Beta and Nightly releases. Visiting .lnk files now causes a 'redirect' to the target of the lnk file.
Comment 85 Brian R. Bondy [:bbondy] 2012-05-31 06:07:46 PDT
Thanks for verifying Paul!
Comment 86 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-31 10:44:52 PDT
Thanks Paul, did you have a chance to check Aurora?
Comment 87 Paul Stone 2012-05-31 11:54:48 PDT
Yeah I did check Aurora too, just forgot to include it in the list
Comment 88 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-31 11:56:09 PDT
Thanks again, Paul.
Comment 89 Huzaifa Sidhpurwala 2012-06-04 00:41:22 PDT
Maybe i am mis-understanding this issue here, but it seems that this bug affects only the Windows version of Firefox right?
Linux versions are not affected!
Comment 90 Al Billings [:abillings] 2012-06-05 10:08:44 PDT
(In reply to Huzaifa Sidhpurwala from comment #89)
> Maybe i am mis-understanding this issue here, but it seems that this bug
> affects only the Windows version of Firefox right?
> Linux versions are not affected!

See comment 22, 27, 28, etc for discussion.
Comment 91 Raymond Forbes[:rforbes] 2013-07-19 18:46:02 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Comment 92 txema.gonz 2013-11-16 10:24:50 PST
(In reply to Brian R. Bondy [:bbondy] from comment #22)
> > what's the Unix behavior here with symlinks? 
> 
> I think the problem would be present both in mac and linux so the fix did
> use the platform independent IsSymLink.  I will try those platforms though.
> 
> > Well, what should relative URIs do?  What should the base be?
> 
> With an <a href> to a relative .lnk file, it goes into the function as the
> already resolved fully spec'ed HTTP URL. But the fix doesn't work for
> clicking on links as you mentioned though so maybe this will be a problem in
> the new location I have a fix in.
> 
> > The original file does.  But clicking the anchor shouldn't.
> 
> It hits that function when clicking on the anchor with an input URL of the a
> href target (lnk file).  Not sure why, something from JS.  But as mentioned
> my patch doesn't fix that case so I will fix it in any case somewhere else.

I see this question is fixed, but I have come across some side effects. 

Developing in *NIX systems a TDD System (https://github.com/txemagon/lluvia-Project) we finally decided to host the framework inside its own folder and create a symbolic link into every package. Now developing with version greater than 12 is impossible.

I posted a question in https://support.mozilla.org/es/questions/951431 and a possible solution: letting the user to allow symlinks (hosted in github)

Finally, following the kind instructions of Daniel Holbert, I've landed here in this post. I'm pretty sure the solution is not going to be tough, but I feel this is too much for me.

Thanks for reconsidering the status of this bug.

Note You need to log in before you can comment on or make changes to this bug.