Dragging a hybrid image file can result in a an executable file saved on the user's desktop with an executable extension. The "firedragging" exploit fixed in Firefox 1.0.1 appears to be back on trunk. http://www.mozilla.org/security/announce/2005/mfsa2005-25.html Since it may be a new cause, and the bug remains fixed for Firefox 2, it seems best to open a new bug than reopen bug 279945. PoC at http://www.mikx.de/firedragging/ Reported to security@mozilla.org by Fernando Muñoz (who plans to blog about this -- http://blog.beford.org/)

regressed between builds 2006-02-20-08 and 2006-02-23-09 -- unfortunately can't narrow down any further because on 2/21-22 builds dragging the image crashes. I think that makes bug 267426 / bug 328077 the most likely culprits.

nsDataObj::GetDownloadDetails doesn't get the file name from the kFilePromiseDestFilename data flavour, that's the problem. I can write a patch to do that, but right now I'm a little confused because nsDataObj comment says // Get data for flavor // The format of the data is (URLSTRING\nFILENAME) for kFilePromiseURLMime, and I'm checking to see if that's true...

No-one ever actually uses the "URL\nFILENAME" format for kFilePromiseURLMime data. That's only used for kURLMime. So instead of trying to parse that, we should just check for kFilePromiseDestFilename and use that if available. We still need to fall back to the filename part of the URI when kFilePromiseDestFilename is not available. Mailnews and maybe other XUL apps depend on that.

Can we get this +'d for blocking 1.9?

Shoot.. sorry, i think i midair'd, as the flag was a ? before. Can someone please + again? thanks.

checked in