Closed Bug 87758 Opened 23 years ago Closed 23 years ago

Clicking file hyperlink in mail message has no effect

Categories

(SeaMonkey :: MailNews: Message Display, defect)

Product:
SeaMonkey
Component:
MailNews: Message Display
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED WONTFIX

People

(Reporter: jonrubin, Assigned: sspitzer)

Details

(Keywords: compat) 

Found in 6.1b build on Win98.

If a mail message contains a file hyperlink (such as file:///c:/), clicking on
the hyperlink has no effect.
Does it really make sense to have a file hyperlink on a mail message?
Maybe only on the case "hey guy on our lan, the document you were looking is in
your file:///c:/file.txt" 
I dont see the importance on this
This is a feature, for security reasons - you can't click on a file url from a
web page, either.

mstoltz?
So if this is a feature why look any further?
Should we support this? Like i said i dont see the practical use for it
In a web page, the file path is not highlighted as a hyperlink (just look at my
original comment on this page); in the mail message, the file path is
highlighted as a hyperlink (look at the mail message that was generated from
this report), which would cause users to expect something to happen when they
click on it.  If there is no practical use for a file hyperlink, then it
shouldn't be highlighted as such.
Just filed bug 88079, which may be related.
I agree with Jon.
This is a really irritating problem, especially for people who send emails
inside the office, and want to point the recipient to a html / asp / txt file on
a shared drive. This was supported in Netscape 4, where clicking on the link
opens the file in a browser window. I suggest adding a 4xp keyword to this bug.
Perhaps we can add something in the code
A simple algorithm that goes like this:

if(sender_is_on_intranet)
file_hyperlinks_executable=true
You can't know whether the sender is on the intranet. They could just forge the
from address, so you can't use that.

+4xp, although I think our behaviour is better, so +compat

This got onto bugtraq recently (opening the various special device files, and so
on). There is a pref you can set to allow it, but I forget what its called. Jesse?

This bug should be closed as WONTFIX, I think.
Keywords: 4xp, compat
We can remember if we want to reply to a user by html or by text only
Using that same "philosophy" we could open file links from certain people
The bugtraq issue is bug 69070, more specifically bug 91316
But I can forge the from address as being from anyone, and then, if you have set
it up so that that person can enable file links, I can trigger the issues in
those bugs. Maybe if we supported signed mail, then that may perhaps be a valid
RFE, although I'm still not convinced.
That would be too complicated
Then, how about just ASKING?
Old ns asked you if you wanted to run or open a file, and with what app did you
want to open the file with
To turn off the restriction on web pages linking to file:/// URLs, add this line
to your prefs.js while Mozilla is not running:

user_pref("security.checkloaduri", false);

Using a pref seems reasonable to me.
But why there should be a difference in behavior between link a: 
http://www.mysite.com/some_virus.exe 
to link b:
file:///g:/my_virus.exe ?

Also, when the file is just an html or a picture nothing malicious can happen.
Clicking on a exe file on a webpage triggers downloading
That's ok

Clicking on an exe in a http url asks whether you want to save the file or
download and automatically execute it.
This question should be asked when the url is file:// . These are just different
network protocols. Behavior should be the same.
Here's on reason why web pages being able to link to local content is dangerous:

Many programs, including some programs that web pages can cause to run (eg media
players and plug-ins), write files to predictable locations on your hard drive.
 If a web page can cause a .html file to be written to one of these locations,
and then links to it, any javascript code in that file will run as local code. 
That isn't as bad as the code having system principal, but it does allow the
javascript to read other files from your hard drive.

There are also DoS attacks on Win98 (MS released a patch a while ago) and on
Linux (which we could work around) that can happen when web pages can link to or
load local files.
Thanks for the explanation, Jesse. As mentioned above, the workaround is to set
a pref. Marking Wontfix.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WONTFIX
verified.
Status: RESOLVED → VERIFIED
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.