Closed
Bug 803143
Opened 12 years ago
Closed 5 years ago
Local files can access other files in the same directory
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla69
People
(Reporter: skyskif, Assigned: baku)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want, Whiteboard: [domsecurity-backlog1][webext-sec])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0 Build ID: 20121010144125 Steps to reproduce: qframe.htm opened from the desktop Actual results: Shows the data from my file a password.txt which is located on the desktop. Expected results: Show a blank page
Reporter | ||
Comment 1•12 years ago
|
||
If the desktop run the qframe.htm you can steal a file on desktop.This can be done from any directory, provided that the file will be the same as a directory for a file that can be stolen.
Reporter | ||
Comment 2•12 years ago
|
||
Reporter | ||
Comment 3•12 years ago
|
||
I have an addiction to unpack archives to the desktop and save passwords in text documents on the desktop. I think that I am not alone in this.
Comment 4•12 years ago
|
||
Chrome fails the same test with: XMLHttpRequest cannot load file:///Users/stefan/Downloads/data%20theft/passwords.txt. Origin null is not allowed by Access-Control-Allow-Origin.
Reporter | ||
Comment 5•12 years ago
|
||
Nowhere except Mozilla Firefox fails the same test.
Reporter | ||
Comment 6•12 years ago
|
||
I think Mozilla Firefox determines the file directory as domain (file:///C:/....) and when comparing domains coincide and script works. And in Chrome determines the file directory as IP and security policy prohibits actions on a different domain. I could be wrong.
Updated•12 years ago
|
Component: Untriaged → Security
Product: Firefox → Core
Comment 7•12 years ago
|
||
Chrome has a very restrictive file:// security policy: every single file is a different origin. This unfortunately breaks a lot of use cases (e.g. HTML documentation). We have a security policy where a file can only access things in the same directory or subdirectories. This works fine as long as you don't dump unrelated things in the same directory... It's hard to restrict the thing you're concerned about with here without breaking a huge number of legitimate things people depend on. :( Probably worth reading the extensive past discussion about this.
Whiteboard: DUPEME
Comment 8•12 years ago
|
||
So one question is whether we should just special-case the desktop....
Summary: data theft (jQuerty) → Local files can access other files in the same directory
Comment 9•12 years ago
|
||
Boris, should an XMLHTTPRequest actually be able to load a file:// URL at all? Do people depend on that? FYI: Safari allows me to access ../../../../../../etc/passwd from a local html file in ~/Desktop. So we are somewhere in the middle between Wide Open (Safari) and Very Restricted (Chrome). Not bad?
Comment 10•12 years ago
|
||
> Boris, should an XMLHTTPRequest actually be able to load a file:// URL at all? Do people
> depend on that?
People definitely depend on that.
But you don't even need to do XHR. You could just load the file:// in an iframe and then poke at the resulting DOM, as long as you're same-origin.
Comment 11•12 years ago
|
||
Ok my bad. I thought the XMLHTTPRequest was the exception here. But if you can poke at the DOM for frames in same-origin then the XMLHTTPRequest thought was just a red herring i guess.
Reporter | ||
Comment 12•12 years ago
|
||
Which red herring?I used XHR to get the data from the file, I got them, and I can use this data as I please. For example to display on the screen or sent to my server. What have Iframe ? Or do you want to say that from Iframe can also get the data? But even if so, the problem is not solved are deteriorate. Or am I wrong?
Comment 13•12 years ago
|
||
> Or do you want to say that from Iframe can also get the data?
Yes.
Reporter | ||
Comment 14•12 years ago
|
||
But somehow not I was able to get the data. Well, okay, not really understand about the "red herring"?
Reporter | ||
Comment 15•12 years ago
|
||
Even become interesting. How to get it local file data from iframe? You have example?
Reporter | ||
Comment 16•12 years ago
|
||
I just tried a lot of things and does not work.
Reporter | ||
Comment 17•12 years ago
|
||
Well, yes, in principle. Example: <iframe src="passwords.txt" id="11" ></iframe> <input type="button" onclick="dd()" value="xXx"> <script> function dd(){ alert(document.getElementById('11').contentWindow.document.body.outerHTML) } </script>
Comment 18•12 years ago
|
||
This is public, known behavior of our file: implementation (discussed, for example, in Michal Zalewski's book "The Tangled Web") so no need to hide the bug.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 20•7 years ago
|
||
Chrome has a very strict "each file: is a unique origin" approach and doesn't appear to be racking up tons of complaints. Maybe we can switch to an even more restrictive implementation now.
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Assignee | ||
Comment 24•6 years ago
|
||
I don't think we want to follow the chrome's approach of having unique origin per each file. We already have a 'per-directory' origin that allows us to load resources, workers and so on. I would close this bug as WORKFORME. Feedback?
Flags: needinfo?(dveditz)
Comment 25•6 years ago
|
||
We get a steady stream of reports (especially bug bounty seekers) pointing out various bad outcomes from our approach, especially since most files will be run from the default Downloads directory with lots of other juicy sensitive information likely to be nearby. So yeah, in fact, I'd prefer to follow Chrome's approach by default. Yes, there used to be lots of things that depended on this behavior years ago, but I don't see too much stuff these days that says "First, go get Firefox because it doesn't work in any other browser."
Flags: needinfo?(dveditz)
Updated•6 years ago
|
Group: core-security-release
Comment 28•6 years ago
|
||
(In reply to Vladimir Bostanov from comment #27) > The origin policy for file:// is not really a bug, but the result of a > deliberate decision that has been challenged before and is about to be > changed now. Is that correct? The current file:/// behavior was an intentional choice that at the time was much stricter than the primordial status quo. The world has moved on and webkit/chrome has shown we can get away with strict unique origins now (bug 1500453).
Group: core-security-release
Comment 31•5 years ago
|
||
Hi!
I wrote the report 1558299 (duplicate) because I wasn't sure that it is a vulnerability or a feature. After reading same origin policy of Firefox I closed the report but I have opened it again because I have found a working proof-of-concept: abusing Firefox SOP an attacker can steal victim's sent documents via WhatsApp. I think that it is a serious problem, but I see that this "bug" is not a bug but it is a feature. So I have a question: can I write about this on my blog? This bug-feature of Firefox doesn't seem to be a secret.
Best regards
Updated•5 years ago
|
Blocks: CVE-2020-6809
Updated•5 years ago
|
status-firefox67:
--- → wontfix
status-firefox67.0.1:
--- → wontfix
status-firefox68:
--- → affected
status-firefox69:
--- → affected
status-firefox-esr60:
--- → affected
status-firefox-esr68:
--- → affected
Comment 33•5 years ago
|
||
This was fixed in bug 1500453 / bug 1558299
Updated•5 years ago
|
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Whiteboard: [domsecurity-backlog1] → [domsecurity-backlog1][webext-sec]
Updated•5 years ago
|
Assignee: nobody → amarchesini
No longer blocks: 1500453
Depends on: 1500453, CVE-2019-11730
Target Milestone: --- → mozilla69
You need to log in
before you can comment on or make changes to this bug.
Description
•