Closed Bug 288722 Opened 20 years ago Closed 19 years ago

ContextMenu.imageURL uses content supplied img-src-getter value.

Categories

(Core :: Graphics: Image Blocking, defect)

x86
Windows ME
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: mromarkhan, Assigned: dveditz)

References

Details

(Keywords: fixed-aviary1.0.3, fixed1.7.7, Whiteboard: [sg:fix] spoof)

Attachments

(2 files)

User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.8b2) Gecko/20050401 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.8b2) Gecko/20050401 Firefox/1.0+ Can override an image getter to specify an arbitrary uri. If user selects context-menu->save image as, the arbitrary uri is downloaded. Alright, if words do not suffice: <img id="x" src="http://www.mozilla.org/images/mozilla-banner.gif" onload="this.src getter = function() {return 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe' };" /> Not sure if consider security bug. Seems like one. Reproducible: Always Steps to Reproduce: 1. Load testcase 2. Right click image 3. Select Save Image As 4. Notice exe file is selected Actual Results: Exe file is selected instead of image. Expected Results: I want to save the image not the file. Thank you.
Attached file Testcase (deleted) —
Is this a security bug?
Actually problem seems to be contextMenu.imageURL (but what do I know?), since I notice the image blocker is also fooled.
Component: Security → Image Blocking
Summary: Save Image As downloads img uri specified by img-src-getter property. → ContextMenu.imageURL uses content supplied img-src-getter value.
ImageMap next?
Note, this no longer works on expiremental build relating to bug 289231 "Landing patch from bug 281988 to generate builds for testing purposes. Will be backed out shortly."
Re [4] I meant Bug 281988 Stop sharing DOM object wrappers between content and chrome
Testcases work again in the 2005040606 builds from this morning after the bug 281988 patch was backed out. That's ultimately the right thing to do and will most likely land for 1.1, but needs a bit of work first. Sorry I forgot to confirm this when I first saw it. We've been busy with bug 289074 and friends :-(
Status: UNCONFIRMED → NEW
Depends on: 281988
Ever confirmed: true
Whiteboard: [sg:fix] spoof
Fixed by bug 289074 and friends on the branches
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Fixed on branches, but bug 281988 has not yet landed on trunk.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
bug 281988 has landed on trunk for Deer Park Alpha 1
Group: security
Status: REOPENED → RESOLVED
Closed: 20 years ago19 years ago
Resolution: --- → FIXED
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: