Closed
Bug 768872
Opened 12 years ago
Closed 12 years ago
jar: allows Java to read arbitrary ZIP files across origins (including ODT files)
Categories
(Plugins Graveyard :: Java (Oracle), defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: freddy, Unassigned)
References
Details
(Keywords: sec-high, sec-vector, Whiteboard: cross-browser in applet form)
Attachments
(2 files)
I just fund a way to read arbitrary ZIP files on other origins. This includes listing the files contained in the ZIP as well as their content. Since other file formats build on ZIPs, we can read .odt and .docx files as well. Because of LiveConnect, my PoC requires Java. It has been tested with Java7 Update 5 on a Windows 7 x64 virtual machine.
Comment 1•12 years ago
|
||
Does this actually work on the web? If you run this from a file:/// URI then java seems to think all "no host" urls are "local", and jar:scheme: looks like no host to them. WIll try it after this mtg. Fixed in Firefox 15 by bug 748343 (removal of window.java and window.Package)
status-firefox-esr10:
--- → affected
status-firefox14:
--- → affected
status-firefox15:
--- → fixed
status-firefox16:
--- → fixed
tracking-firefox-esr10:
--- → ?
tracking-firefox14:
--- → ?
tracking-firefox15:
--- → +
tracking-firefox16:
--- → +
Depends on: 748343
Keywords: sec-vector
Comment 2•12 years ago
|
||
It *does* work from the web... I find this surprising. What else is broken?.
Keywords: sec-high
Comment 3•12 years ago
|
||
Does this work within an applet? It's java making the connection and supposedly validating the origins. If they're not validating the net origin can LiveConnect be used in this way to read local files as well?
Reporter | ||
Comment 4•12 years ago
|
||
I didn't get it to read file:// URIs, I think there's some java.security.manager or java.lang.SecurityManager in the way. My java is a little rusty. Me not getting it to work does not mean it's impossible ;) *But* here's the big news: The bug triggers in applets. Confirmed with IE, Opera, Chrome, Firefox..
status-firefox-esr10:
affected → ---
status-firefox14:
affected → ---
status-firefox15:
fixed → ---
status-firefox16:
fixed → ---
tracking-firefox-esr10:
? → ---
tracking-firefox14:
? → ---
tracking-firefox15:
+ → ---
tracking-firefox16:
+ → ---
Comment 5•12 years ago
|
||
If you have this already compiled to an applet it'd be handy to upload the testcase.
Component: DOM → Java (Oracle)
Product: Core → Plugins
QA Contact: general → oracle-java
Summary: LiveConnect allows JavaScript to read arbitrary ZIP files across origins (including ODT files) → jar: allows Java to read arbitrary ZIP files across origins (including ODT files)
Whiteboard: cross-browser in applet form
Version: 13 Branch → unspecified
Reporter | ||
Comment 6•12 years ago
|
||
just wrap in applet tag. make width and height a few hundred pixels each..
Reporter | ||
Comment 7•12 years ago
|
||
Applet added. Oracle is going to be notified of this..
Comment 8•12 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #7) > Applet added. Oracle is going to be notified of this.. Did they respond or give you any kind of tracking number?
Reporter | ||
Comment 9•12 years ago
|
||
Sorry, Tracking #: S0191404 Description: ORACLE JAVA JRE 7U5 SOP BYPASS FOR ZIP-BASED FILETYPES Status: Under investigation / Being fixed in main codeline
Reporter | ||
Comment 10•12 years ago
|
||
This is fixed with Java JRE 7 Update 9. Resolved/Fixed?
Reporter | ||
Comment 11•12 years ago
|
||
My bad, I just worked through my Proof Of Concept again and it still works. Status is still "Under investigation / Being fixed in main codeline" from Oracle's side.
Reporter | ||
Comment 12•12 years ago
|
||
Tracking #: S0191404 Description: ORACLE JAVA JRE 7U5 SOPBYPASS FOR ZIP-BASED FILETYPES Status: Issue fixed in main codeline, scheduled for a future CPU
Comment 13•12 years ago
|
||
Resolving fixed based on comment 10.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 14•12 years ago
|
||
Will be fixed by Oracle update on conversation with Freddy.
Resolution: FIXED → WONTFIX
Updated•11 years ago
|
status-firefox-esr17:
--- → wontfix
Updated•11 years ago
|
status-b2g18:
--- → wontfix
Updated•9 years ago
|
Group: core-security → core-security-release
Assignee | ||
Updated•8 years ago
|
Product: Plugins → Plugins Graveyard
Comment 15•4 years ago
|
||
Removing employee no longer with company from CC list of private bugs.
status-b2g18:
wontfix → ---
status-firefox-esr17:
wontfix → ---
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•