Closed
Bug 288722
Opened 20 years ago
Closed 19 years ago
ContextMenu.imageURL uses content supplied img-src-getter value.
Categories
(Core :: Graphics: Image Blocking, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: mromarkhan, Assigned: dveditz)
References
Details
(Keywords: fixed-aviary1.0.3, fixed1.7.7, Whiteboard: [sg:fix] spoof)
Attachments
(2 files)
User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.8b2) Gecko/20050401 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.8b2) Gecko/20050401 Firefox/1.0+
Can override an image getter to specify an arbitrary uri.
If user selects context-menu->save image as, the arbitrary uri
is downloaded.
Alright, if words do not suffice:
<img id="x" src="http://www.mozilla.org/images/mozilla-banner.gif"
onload="this.src getter = function() {return
'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe' };"
/>
Not sure if consider security bug. Seems like one.
Reproducible: Always
Steps to Reproduce:
1. Load testcase
2. Right click image
3. Select Save Image As
4. Notice exe file is selected
Actual Results:
Exe file is selected instead of image.
Expected Results:
I want to save the image not the file.
Thank you.
Actually problem seems to be contextMenu.imageURL (but what do I know?), since I
notice the image blocker is also fooled.
Component: Security → Image Blocking
Summary: Save Image As downloads img uri specified by img-src-getter property. → ContextMenu.imageURL uses content supplied img-src-getter value.
Note, this no longer works on expiremental build relating to bug 289231
"Landing patch from bug 281988 to generate builds for testing purposes. Will be
backed out shortly."
Re [4] I meant Bug 281988 Stop sharing DOM object wrappers between content and
chrome
Assignee | ||
Comment 6•20 years ago
|
||
Testcases work again in the 2005040606 builds from this morning after the bug
281988 patch was backed out. That's ultimately the right thing to do and will
most likely land for 1.1, but needs a bit of work first.
Sorry I forgot to confirm this when I first saw it. We've been busy with bug
289074 and friends :-(
Assignee | ||
Comment 7•20 years ago
|
||
Fixed by bug 289074 and friends on the branches
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 8•20 years ago
|
||
Fixed on branches, but bug 281988 has not yet landed on trunk.
Assignee | ||
Comment 9•19 years ago
|
||
bug 281988 has landed on trunk for Deer Park Alpha 1
Group: security
Status: REOPENED → RESOLVED
Closed: 20 years ago → 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: testcase+
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•