Bugzilla@Mozilla – Bug 416318
resource:// traversal allows stealing files from a local page
Last modified: 2008-11-16 20:50:05 PST
Summon comment box
Created attachment 302100 [details] sav1.html trunk has restrictions what local html can access. this can be bypassed via resource:// traversal: resource:///%2E%2E%2F%2E%2E%2F..%2F..%2F..%2F..%2F..%2Fproc/self/environ saves the environment of firefox (containing the salty profile name) later if the page is opened locally with |file| protocol, the file can be read. testcase reads /proc/self/environ (not that |self| is the pid of the saving firefox) requires saving a file => sg:moderate
Not blocking 1.9, but yes blocking 1.9.0.x. Feel free to argue with me.
Dan are you working on this? If not can you suggest an alternate?
Fixed by bug 380994 on branches, not yet on mozilla-central
Verified on Ubuntu 8.0.4: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008082909 Firefox/3.0.2 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17 In 20017/3.0.2 when I enter resource:///%2E%2E%2F%2E%2E%2F..%2F..%2F..%2F..%2F..%2Fproc/self/environ in the location bar I get a page load error. In 20016/3.0.1 I was prompted to save a file.
bug 380994 checked in: http://hg.mozilla.org/mozilla-central/rev/6dad95d60106 http://hg.mozilla.org/mozilla-central/rev/1eccc541661c