Bug in Firefox allows local files to be stolen

General project discussion

Moderator: satrow

Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
User avatar
Sampei Nihira
Moon lover
Moon lover
Posts: 81
Joined: 2018-04-03, 16:17

Bug in Firefox allows local files to be stolen

Unread post by Sampei Nihira » 2019-07-04, 17:46

Hi to all.
Bug in Firefox allows local files to be stolen:

https://bugzilla.mozilla.org/show_bug.cgi?id=1560291

Test:

Type in the address bar:

file:///c:/

Youtube Video:

https://youtu.be/XU223hfXUVY

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 5590
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: Bug in Firefox allows local files to be stolen

Unread post by New Tobin Paradigm » 2019-07-04, 17:55

It is true that local files can access other local files but it isn't true that remote files can steal local files. I would call this desirable behavior. If we busted this than viewing local content would be very broken.

Maybe you should actually read the case and not leave out the fact that this is not actually a security issue or as serious as your clickbate title would suggest.
Image
- So then, "mono" means one, and "rail" means rail! -
And that concludes our intensive three-week course.
http://binaryoutcast.com/ | http://thereisonlyxul.org/

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 23950
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Bug in Firefox allows local files to be stolen

Unread post by Moonchild » 2019-07-04, 18:01

We have a security policy where a file can only access things in the same directory or subdirectories. This works fine as long as you don't dump unrelated things in the same directory...

It's hard to restrict the thing you're concerned about with here without breaking a huge number of legitimate things people depend on. Like... HTML documentation.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it on cohservers.com

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
plushkava
Apollo supporter
Apollo supporter
Posts: 34
Joined: 2015-07-31, 04:53
Location: United Kingdom

Re: Bug in Firefox allows local files to be stolen

Unread post by plushkava » 2019-07-14, 06:50

A realistic attack vector is alluded to here: https://www.mozilla.org/en-US/security/ ... 2019-11730. Breaking HTML documentation and such would be a bad thing, though not everyone depends on the status quo. Might it be worth implementing the more strict policy while making it contingent on the value of a new option?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 23950
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Bug in Firefox allows local files to be stolen

Unread post by Moonchild » 2019-07-14, 11:13

The "realistic" attack vector only applies to android AND using a certain mail app on there that dumps unrelated attachments into the same folder/structure with a predictable layout, then using an android version of Firefox to open the html-formatted attachment. In our context, this is unrealistic for several reasons, not in the least the fact that we don't supply Android versions of the browser, and in addition considered a flaw of the mail app to store attachments this way (and a case of PEBCAK where a user opens an html attachment from a stranger -- reading local files tends to be the least of the risks involved there).
If in the future a UXP-based Android app will be created, this potential issue when paired with this "certain email app" should be kept in mind (if that app still suffers from the same oversight), but it is no reason to break the common-use case of loading data from file:// URLs in local documents.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it on cohservers.com

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

Post Reply