Closed
Bug 16672
Opened 25 years ago
Closed 25 years ago
[DOGFOOD] JavaScript in HTML email message may read local files
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M12
People
(Reporter: joro, Assigned: norrisboyd)
References
Details
(Whiteboard: [PDT+] Have fix)
There seems to be a security bug (or design flaw) in Mozilla 5.0 Messenger:
As rhp@netscape.com explained me:
--------------------------------
When the body of the message
is encountered, a new temporary HTML file is written to disk and the following
line is added to the XUL document:
<html:iframe id="mail-body-frame" type="content-primary"
src="file:///C|/TEMP/nsMimeBody.html" border="0" scrolling="auto" resize="yes"
width="100%" flex="1"/>
-------------------------------
The problem is that the SRC of the IFRAME is the "file:" protocol. This means
that the JavaScript code in the body of the message (the IFRAME) has reading
access to all documents in the "file:" protocol.
This means that email message may read local files.
To demonstrate the problem, I suggest the following test case:
1) Create a file "c:\links.html" and put in it an <A HREF=> tag, e.g. :
<A HREF="your text">link1</A>
2) Send HTML message to yourself which contains the following javascript code:
---
<SCRIPT>
s="file"+":///c|/links.html";
a=window.open(s);
setTimeout("alert(a.document.links[0].href)",5000);
</SCRIPT>
----
(I sent the message with Communicator 4.7)
3) Read the message with Mozilla 5.0 and the HREF of the <A> tag will be
displayed in an alert box in a few moments.
I tested that with build 1999101608.
Assignee | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•25 years ago
|
||
Travis says that it should be easier to fix the IFRAME src="file://..." after
the WebShell changes land.
Assignee | ||
Updated•25 years ago
|
Whiteboard: waiting for doc loader to land
Assignee | ||
Updated•25 years ago
|
Target Milestone: M12
Assignee | ||
Updated•25 years ago
|
Summary: JavaScript in HTML email message may read local files → [dogfood] JavaScript in HTML email message may read local files
Assignee | ||
Comment 3•25 years ago
|
||
Marking dogfood for analysis by PDT at jar's request.
Assignee | ||
Updated•25 years ago
|
Summary: [dogfood] JavaScript in HTML email message may read local files → [DOGFOOD] JavaScript in HTML email message may read local files
Whiteboard: waiting for doc loader to land → [PDT+]waiting for doc loader to land
Putting on PDT+ radar. But we believe that temp file is not longer being used,
thus this bug fixed. rhp?
Comment 5•25 years ago
|
||
Sorry, the temp file still exists for the body of the message. When you are
displaying an email message, you are looking at a XUL document with the body
living in an IFRAME. Problem still relevant.
- rhp
Assignee | ||
Updated•25 years ago
|
Whiteboard: [PDT+]waiting for doc loader to land → [PDT+] Try for 12/3 -- risky
Assignee | ||
Updated•25 years ago
|
Whiteboard: [PDT+] Try for 12/3 -- risky → [PDT+] Have fix
Assignee | ||
Updated•25 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 6•25 years ago
|
||
Checking in mailnews/mime/emitters/src/nsMimeXULEmitter.cpp;
/m/pub/mozilla/mailnews/mime/emitters/src/nsMimeXULEmitter.cpp,v <-- nsMimeXUL
Emitter.cpp
new revision: 1.47; previous revision: 1.46
done
Checking in mailnews/mime/emitters/src/nsMimeXULEmitter.h;
/m/pub/mozilla/mailnews/mime/emitters/src/nsMimeXULEmitter.h,v <-- nsMimeXULEm
itter.h
new revision: 1.12; previous revision: 1.11
done
Bulk moving all Browser Security bugs to new Security: General component. The
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in
before you can comment on or make changes to this bug.
Description
•