Viewing links to .jpg file doesn't work

RESOLVED INVALID

Status

--
critical
RESOLVED INVALID
18 years ago
11 years ago

People

(Reporter: esther, Assigned: mscott)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

18 years ago
Using 2001-04-17 on winme, mac and linux a link to a .jpg in a message body 
doesn't recognize it as a .jpg file (could happen to other native files, but 
haven't tested yet).  May be same as 63225, but not sure.  

1. Launch mail and send yourself a mail message with a .jpg as a link (use I 
sert to give a name and location to the .jpg file located on your hard drive).
2. Get that message and click on the link.

Result:  I get a Open/Save dialog
Expected: To open up the .jpg file in a new browser window.  This is what 4.7 
does with this same message.

3. Right mouse click on the link and select Save Link As 

Result: you the save as dialog with the wrong name inserted, (INBOX>108922 
instead of humor.jpg)
Expected: to get the save as dialog with the correct name inserted (this is what 
4.7 did for messages of this type sent using 4.7 & today's build).
(Assignee)

Comment 1

18 years ago
hey esther...I don't think you are allowed to click on a file url inside a
message you sent yourself. It's a security hole if you can.

Using today's build, I sent myself a message with a file URL:
file:///c:/test.jpeg

I then received the message and tried to click on my file URL. I got an error to
the console from the security manager saying:

The link to file:///C:/dell/docs/bedirect.jpg was blocked by the security manage
r.
Remote content may not link to local content.

I believe this is the intended behavior. cc'ing mstoltz to be sure.

If you are having trouble viewing a JPEG someone sent you as an http url then
this bug is a problem. 
(Assignee)

Comment 2

18 years ago
Mitch, one other thing I noticed while playing around with this. If I click on
the file url in the message, the security manager steps in and says I don't
think so. If I instead click Save Link As, we'll correctly load the url and save
it to a destination of my choosing. Not sure if that's a problem or of it's allowed.
(Reporter)

Comment 3

18 years ago
Scott, Yes in my sceario I inserted a link to a local file in the message body 
and sent it to myself.  When I run the app -console I get this error on the 
console when I try to "Open Link in New Window"  JavaScript error:
line 0: uncaught exception: Load of file:///D:/Attachments/harrison.jpg denied. 
But I don't get any error on the front end telling me why it failed.  Also, I 
can open this link in 4.7, is this a newly discovered security risk that 4.7 
still has?  I get what you get when I do a "Save Link As" the correct name and a 
save.

As suggested, I did this again from a different account and system.  I inserted 
a link to a local file from qatest04 on my linux system and sent it to my 
account and viewed it on my PC.  Asking to "Open Link in a New Window"  Brings 
up the Downloading window, it doesn't recognize the .jpg, the downloading window 
states "This file has mime type application/oct-stream and cannot be viewed 
using Netscape 6. You can open it with another application or save it to disk". 
If I chose to Save it, I get the wrong file name "INBOX%3E109152".  If use the 
context menu to Save Link As... I get the wrong file name "INBOX>109152".
So this is still broken, but maybe the same as bug 63225

Scott,
   I don't think I've added a check on Save Link As. It's probably not
necessary; it's unlikely a user could be convinced to save a link in a known
location, which might present a risk, but it's pretty farfetched. I may be
reaching the point where annoyance overwhelms security gain; I'm not sure.
There's no immediate risk, so I'm going to leave it as is for a while.
(Assignee)

Comment 5

18 years ago
that policy sounds find to me Mitch. (about not blocking save link as)

Comment 6

17 years ago
Current behaviour is;
clicking link - nothing
open in new window - nothing
dragging link to mozilla window - jpeg is displayed
save file as - save dialogue with correct name pops up

This is on Linux, using build from CVS, grabbed approx. 12/09 23:50 (tinderbox)

Comment 7

17 years ago
I think there is some user feedback missing, if it is by design that such links
do not work for security reasons. (btw, why is this a hole?)

I just sent a mail pointing to file://///ComputerName/SharedDir/ to a co-worker,
and he could follow the link using Outlook Express, but when I tried to follow
the link in the sent mail, I had to use copy&paste. This gave me the impression
that I had detected a bug - until I read the comments in this one.

Comment 8

17 years ago
I'm confirming this bug for Solaris (buildID 2002061103): 

Jpeg images never show up in the context of web-pages.  In all cases, I can view
the jpeg by right-clicking over the empty space where the image would be and
selecting "View image".

example url:
http://www.time.com/time/asia/magazine/article/0%2C13673%2C501020701-265481%2C00.html

(If the original bug was specific to mail, I should probably refiled this as its
own bug.)
Product: MailNews → Core

Comment 9

13 years ago
Marking invalid; comments 1 and 2 imply the failure to open file: links from messages is by design.  

Bug 135830 is about providing a more nuanced security scheme (and also makes note of the current lack of any response when the link is clicked).
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.