Potential security hole: caching context of .url windows shortcut

RESOLVED INVALID

Status

()

Firefox
Untriaged
P3
normal
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: Alexey, Unassigned)

Tracking

15 Branch
x86
Windows Vista
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 668434 [details]
URL-from-JavaFX.url

User Agent: Mozilla/5.0 (Windows NT 6.0; rv:15.0) Gecko/20100101 Firefox/15.0.1
Build ID: 20120905151427

Steps to reproduce:

Create a file with the [.url] extension with FF as default browser in the OS Windows.
Let's it will [URL-from-JavaFX.url].
Let's the file context is

[InternetShortcut]
URL=http://www.oracle.com 



Actual results:

1. Open the file at the first time. Everything works as expected - FF start with URL http://www.oracle.com.
2. In text editor change the line  
URL=http://www.oracle.com 
to
URL=http://www.google.com 
without file renaming.
3. Save result.
4. Click [MyBest.url] again - FF opens with URL  http://www.oracle.com 


Expected results:

4. Click [URL-from-JavaFX.url] again - FF opens with URL  http://www.google.com 

Ups! You can even restart the FF - the content of shortcut is frozen in cache.
(Reporter)

Updated

5 years ago
Priority: -- → P3
(Reporter)

Comment 1

5 years ago
Seems that is MS OS problem, that stores URL in extended attribute.
Sorry, that is not a FF problem.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID

Updated

5 years ago
Group: core-security
You need to log in before you can comment on or make changes to this bug.