Closed Bug 734794 Opened 12 years ago Closed 12 years ago

PDF.js doesn't sanitize links in PDF documents (potential XSS vector)

Categories

(Firefox :: General, enhancement)

Product:
Firefox
Component:
General
Version:
12 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox12 --- unaffected
firefox13 --- unaffected
firefox-esr10 --- unaffected

People

(Reporter: pauljt, Assigned: bdahl)

References

Details

(Whiteboard: [sg:high])

Attachments

(1 file)

Demo of issue
16.18 KB, application/pdf
Details
Attached file Demo of issue 
PDF.js converts links in PDF documents to links with the displayed HTML page. The link href isn't sanitized, so links such as javascript: (and similar variants) are XSS vectors for any website which allows PDF upload (for users of this extension).

Other browser PDF plugins restrict links to http or https, which would be something to conisder doing in PDF.js. (chrome's PDF viewer forces http:, and from memory Acrobat plugin forbids the javascript: scheme in later versions)

The risk is mitigated by the following factors:
- a site would need to allow upload of arbitrary PDF, although this is common
- The XSS vector requires user interaction (user must click the link)
Assignee: nobody → bdahl
Fix under review at https://github.com/mozilla/pdf.js/pull/1326
Status: NEW → ASSIGNED
pure guess that we're trying to land this in Firefox 14? It's not in 13.
status-firefox-esr10: --- → unaffected
status-firefox12: --- → unaffected
status-firefox13: --- → unaffected
Whiteboard: [sg:high]
This should be resolved in our latest patch.
The patch from above (https://github.com/mozilla/pdf.js/pull/1326/files) in part of the pdf.js master; and now is part of the attachment #607846 [details] [diff] [review] of the block bug #714712.

Paul, shall we do something special (unblock, close?) to this issue before 714712 landing?
The fix looks good to me, and I have tested the in plugin version as well.

However I am not yet familiar with the process for making it public. For now, I will just mark it as resolved, and I'll find out what the process is for making it public.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
So the verdict was leave it secured for the moment, at least long enough that users will have had their extension updated - the security team will unhide it later if/when appropriate
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: