I can't test this at the moment, but confirming based on http://lxr.mozilla.org/seamonkey/source/netwerk/streamconv/converters/nsIndexedT oHTML.cpp#164. We need to unescape this, and then entitise it (> -> >, etc). Do we have a generic function to do that which is available from necko? -> critical
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: want for 0.9.4
err. Note to self: do not comment on bugs after spending 9 hours on a flight. Lets try this again. Theres not that much of a security impact - you can't do anything you couldn't do as part of a webpage, right. Its unexpected, and its wrong (and a url with a < in it probably stuffs up later entries), but I can't think of an exploit.
Severity: critical → major
Whiteboard: want for 0.9.4
Can you use it to add inline graphics to an FTP display? That would solve some aspects of bug 90695. :)
I can't seam to make this work. I do see the inline script being to be evaulated, but nsJSThunk::EvaluateScript() prevents this because the underlying netlib channel (nsStreamIOChannel) does not have an interface requestor. I do not think that this is critical. Mitch, do you concur?
benc: I've done the icons in my dirviewer rewrite.
Run with the system principal? How so? I do not see how this is different than a webpage. Please advise.
Um. How does this run with the system prinicpal? This is a stream converter - if stream converters have any elevated privs then we run into bug 51442 again, don't we?
I've fixed this in my rewrite. The fix is to add a call to nsEscapeHTML before outputting the description. dougt: I don't have net access at home yet, and I have my other ftp patch in the way - can you do this?
I don't know if this runs with the system principal or not, but regardless, you shouldn't be able to sneak in HTML like this - it'll cause trouble one way or another. Let's escape < and > as proposed. Is there a patch already posted somewhere else?
No patch per se - I don't have web access at home til the middle of next week. The following untested-but-something-similar-works-in-my-heavily-hacked-tree pseudo-diff via lxr of nsIndexedToHTML.cpp should work though: 164 nsUnescape(NS_CONST_CAST(char*, filename.get())); + char* htmlEscaped = nsEscapeHtml(filename.get()); -165 pushBuffer.AppendWithConversion(filename); + pushBuffer.AppendWithConversion(htmlEscaped); + nsMemory::Free(htmlEscaped); 166 pushBuffer.AppendWithConversion("</a>"); This function (used by the mime code), escapes <, >, &, and ". +patch, review. I guess.
Keywords: patch, review
reassigning to firstname.lastname@example.org.
Assignee: dougt → bbaetz
I fixed this last week when my dirviewer patch landed. Missed marking it fixed because this wasn't listed as a dependancy.
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
VERIFIED: Mozilla 1.0, RC1, Win98
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.