Closed
Bug 734794
Opened 13 years ago
Closed 13 years ago
PDF.js doesn't sanitize links in PDF documents (potential XSS vector)
Categories
(Firefox :: General, enhancement)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox12 | --- | unaffected |
firefox13 | --- | unaffected |
firefox-esr10 | --- | unaffected |
People
(Reporter: pauljt, Assigned: bdahl)
References
Details
(Whiteboard: [sg:high])
Attachments
(1 file)
16.18 KB,
application/pdf
|
Details |
PDF.js converts links in PDF documents to links with the displayed HTML page. The link href isn't sanitized, so links such as javascript: (and similar variants) are XSS vectors for any website which allows PDF upload (for users of this extension).
Other browser PDF plugins restrict links to http or https, which would be something to conisder doing in PDF.js. (chrome's PDF viewer forces http:, and from memory Acrobat plugin forbids the javascript: scheme in later versions)
The risk is mitigated by the following factors:
- a site would need to allow upload of arbitrary PDF, although this is common
- The XSS vector requires user interaction (user must click the link)
Updated•13 years ago
|
Assignee: nobody → bdahl
Assignee | ||
Comment 1•13 years ago
|
||
Fix under review at https://github.com/mozilla/pdf.js/pull/1326
Status: NEW → ASSIGNED
Comment 2•13 years ago
|
||
pure guess that we're trying to land this in Firefox 14? It's not in 13.
status-firefox-esr10:
--- → unaffected
status-firefox12:
--- → unaffected
status-firefox13:
--- → unaffected
Whiteboard: [sg:high]
Assignee | ||
Comment 3•13 years ago
|
||
This should be resolved in our latest patch.
Comment 4•13 years ago
|
||
The patch from above (https://github.com/mozilla/pdf.js/pull/1326/files) in part of the pdf.js master; and now is part of the attachment #607846 [details] [diff] [review] of the block bug #714712.
Paul, shall we do something special (unblock, close?) to this issue before 714712 landing?
Reporter | ||
Comment 5•13 years ago
|
||
The fix looks good to me, and I have tested the in plugin version as well.
However I am not yet familiar with the process for making it public. For now, I will just mark it as resolved, and I'll find out what the process is for making it public.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 6•13 years ago
|
||
So the verdict was leave it secured for the moment, at least long enough that users will have had their extension updated - the security team will unhide it later if/when appropriate
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•