Hi to all.
Bug in Firefox allows local files to be stolen:
https://bugzilla.mozilla.org/show_bug.cgi?id=1560291
Test:
Type in the address bar:
file:///c:/
Youtube Video:
https://youtu.be/XU223hfXUVY
Bug in Firefox allows local files to be stolen
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Re: Bug in Firefox allows local files to be stolen
It is true that local files can access other local files but it isn't true that remote files can steal local files. I would call this desirable behavior. If we busted this than viewing local content would be very broken.
Maybe you should actually read the case and not leave out the fact that this is not actually a security issue or as serious as your clickbate title would suggest.
Maybe you should actually read the case and not leave out the fact that this is not actually a security issue or as serious as your clickbate title would suggest.
-
- Pale Moon guru
- Posts: 35647
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Bug in Firefox allows local files to be stolen
We have a security policy where a file can only access things in the same directory or subdirectories. This works fine as long as you don't dump unrelated things in the same directory...
It's hard to restrict the thing you're concerned about with here without breaking a huge number of legitimate things people depend on. Like... HTML documentation.
It's hard to restrict the thing you're concerned about with here without breaking a huge number of legitimate things people depend on. Like... HTML documentation.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Apollo supporter
- Posts: 46
- Joined: 2015-07-31, 04:53
- Location: Clown World
Re: Bug in Firefox allows local files to be stolen
A realistic attack vector is alluded to here: https://www.mozilla.org/en-US/security/ ... 2019-11730. Breaking HTML documentation and such would be a bad thing, though not everyone depends on the status quo. Might it be worth implementing the more strict policy while making it contingent on the value of a new option?
-
- Pale Moon guru
- Posts: 35647
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Bug in Firefox allows local files to be stolen
The "realistic" attack vector only applies to android AND using a certain mail app on there that dumps unrelated attachments into the same folder/structure with a predictable layout, then using an android version of Firefox to open the html-formatted attachment. In our context, this is unrealistic for several reasons, not in the least the fact that we don't supply Android versions of the browser, and in addition considered a flaw of the mail app to store attachments this way (and a case of PEBCAK where a user opens an html attachment from a stranger -- reading local files tends to be the least of the risks involved there).
If in the future a UXP-based Android app will be created, this potential issue when paired with this "certain email app" should be kept in mind (if that app still suffers from the same oversight), but it is no reason to break the common-use case of loading data from file:// URLs in local documents.
If in the future a UXP-based Android app will be created, this potential issue when paired with this "certain email app" should be kept in mind (if that app still suffers from the same oversight), but it is no reason to break the common-use case of loading data from file:// URLs in local documents.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite