Closed Bug 16672 Opened 25 years ago Closed 25 years ago

[DOGFOOD] JavaScript in HTML email message may read local files

Categories

(Core :: Security, defect, P3)

x86
Windows 95
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

Details

(Whiteboard: [PDT+] Have fix)

There seems to be a security bug (or design flaw) in Mozilla 5.0 Messenger: As rhp@netscape.com explained me: -------------------------------- When the body of the message is encountered, a new temporary HTML file is written to disk and the following line is added to the XUL document: <html:iframe id="mail-body-frame" type="content-primary" src="file:///C|/TEMP/nsMimeBody.html" border="0" scrolling="auto" resize="yes" width="100%" flex="1"/> ------------------------------- The problem is that the SRC of the IFRAME is the "file:" protocol. This means that the JavaScript code in the body of the message (the IFRAME) has reading access to all documents in the "file:" protocol. This means that email message may read local files. To demonstrate the problem, I suggest the following test case: 1) Create a file "c:\links.html" and put in it an <A HREF=> tag, e.g. : <A HREF="your text">link1</A> 2) Send HTML message to yourself which contains the following javascript code: --- <SCRIPT> s="file"+":///c|/links.html"; a=window.open(s); setTimeout("alert(a.document.links[0].href)",5000); </SCRIPT> ---- (I sent the message with Communicator 4.7) 3) Read the message with Mozilla 5.0 and the HREF of the <A> tag will be displayed in an alert box in a few moments. I tested that with build 1999101608.
Status: NEW → ASSIGNED
*** Bug 16521 has been marked as a duplicate of this bug. ***
Travis says that it should be easier to fix the IFRAME src="file://..." after the WebShell changes land.
Whiteboard: waiting for doc loader to land
Blocks: 12633
Target Milestone: M12
Summary: JavaScript in HTML email message may read local files → [dogfood] JavaScript in HTML email message may read local files
Marking dogfood for analysis by PDT at jar's request.
Summary: [dogfood] JavaScript in HTML email message may read local files → [DOGFOOD] JavaScript in HTML email message may read local files
Whiteboard: waiting for doc loader to land → [PDT+]waiting for doc loader to land
Putting on PDT+ radar. But we believe that temp file is not longer being used, thus this bug fixed. rhp?
Sorry, the temp file still exists for the body of the message. When you are displaying an email message, you are looking at a XUL document with the body living in an IFRAME. Problem still relevant. - rhp
Whiteboard: [PDT+]waiting for doc loader to land → [PDT+] Try for 12/3 -- risky
Blocks: 20870
Whiteboard: [PDT+] Try for 12/3 -- risky → [PDT+] Have fix
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Checking in mailnews/mime/emitters/src/nsMimeXULEmitter.cpp; /m/pub/mozilla/mailnews/mime/emitters/src/nsMimeXULEmitter.cpp,v <-- nsMimeXUL Emitter.cpp new revision: 1.47; previous revision: 1.46 done Checking in mailnews/mime/emitters/src/nsMimeXULEmitter.h; /m/pub/mozilla/mailnews/mime/emitters/src/nsMimeXULEmitter.h,v <-- nsMimeXULEm itter.h new revision: 1.12; previous revision: 1.11 done
Blocks: 21564
Updating QA Contact.
QA Contact: dshea → paw
Marking verified per Norris's comments
Status: RESOLVED → VERIFIED
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
No longer blocks: 20870
No longer blocks: 21564
You need to log in before you can comment on or make changes to this bug.