Open
Bug 395343
Opened 17 years ago
Updated 2 years ago
escaping "samedir" and "subdir" file: access restrictions
Categories
(Core :: Networking: File, defect, P3)
Tracking
()
NEW
People
(Reporter: dveditz, Assigned: dveditz)
References
Details
(Whiteboard: [necko-backlog])
Attachments
(1 file)
|
(deleted),
application/x-zip-compressed
|
Details |
The same-origin restrictions for file: URIs added in bug 230606 have several modes of varying restriction. The FILEURI_SOP_SAMEDIR and FILEURI_SOP_SUBDIR modes can be fooled with combinations of .. traversal and escaped slashes (see bug 230606 comment 56). Not sure yet if the problem is in the fileURL code or the nsLocalFile code, or bad assumptions they make about each other.
bug 380994 is part of this but may not fix the whole problem.
|
Assignee | |
Comment 1•17 years ago
|
||
Here's a testcase that can be used to demonstrate some of the problems. Download and unzip locally. Load fileuri/test.html and click the test() button.
Using about:config you can adjust the security.fileuri.origin_policy pref from 0 to 4 to see what slips through in various modes. The original default setting was going to be 0 but that broke automated tests (bindings and xul overlays are checked for same-origin). The current default is "2", allowing access to files in subdirectories, though might switch to "1" (same directory).
|
|
Assignee | |
Comment 2•17 years ago
|
||
Oh, another access problem is that in FILEURI_SOP_SELF mode the raw URIs are compared, so two things that are the same file might not test as equal. One thing that broke one of the automated tests was that fragment identifiers caused URIs not to match, and an XSLT test resulted in file://foo/bar.txt# which didn't match the original version without the trailing #
|
|
Assignee | |
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.9?
|
||
Comment 3•17 years ago
|
||
some tests show directory traversal doesn't work.
|
|
Assignee | |
Comment 4•17 years ago
|
||
Oh good, then this is a windows-only issue. I definitely get directory traversal using the attached testcase unzipped locally using security.fileuri.origin_policy set to 1 or 2.
OS: All → Windows XP
Hardware: All → PC
|
|
Assignee | |
Updated•17 years ago
|
Flags: blocking1.8.1.7?
|
|
||
Comment 5•17 years ago
|
||
dvedtitz, please double check it is windoze only.
have you tried unicode attacks on windoze?
http://www.honeynet.org/scans/scan14/sub/som13.txt
quote:
The IIS Unicode exploit was obtained by
GET /guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../boot.ini
|
|
||
Comment 6•17 years ago
|
||
Bug 395752 circumvents this, though probably it is another problem
|
|
Assignee | |
Updated•17 years ago
|
Flags: blocking1.8.1.7? → wanted1.8.0.x+
|
||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
|
||
Updated•17 years ago
|
Priority: -- → P3
|
||
Updated•17 years ago
|
Flags: tracking1.9+ → wanted1.9.0.x+
|
||
Updated•9 years ago
|
Whiteboard: [necko-backlog]
|
||
Comment 7•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P3 → P1
|
|
||
Comment 8•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•