New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 595558 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Last visit > 30 days ago
Closed: Mar 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Possible RAR issues in ChromeOS guest mode

Reported by resea...@nightwatchcybersecurity.com, Mar 17 2016

Issue description

VULNERABILITY DETAILS
RAR files are accessible while in Guest mode, while all other archives (ZIP, tar, tar.gz, etc) are not. Additionally, because of bug # 579035, we observed that double clicking on a file inside the RAR file does not properly encode the name of the file when opening in Chrome. We are attaching a test RAR file and a screenshot. Third, because archives are processed as mounted file systems, it may be possible that they will result in different file permissions then regular downloaded files.

VERSION
Chrome Version: 49.0.2623.95 (Official Build) (64-bit)
Operating System: ChromeOS 7834.60.0 (= Official Build) stable-channel parrot

REPRODUCTION CASE
Open a RAR file, and see it mount. Also, double click the non-English PDF file inside and observe the name un-encoded in Chrome. File originally came from:

http://www.mesherasrub.ru/Kak_postroit_selskii_dom.rar

 
Kak_postroit_selskii_dom.rar
3.7 MB Download
Screenshot 2016-03-16 at 8.02.39 PM.png
32.1 KB View Download

Comment 1 by mea...@chromium.org, Mar 18 2016

Labels: Needs-Feedback
Thanks for the report. I'm getting an error saying zip files are not supported, whereas rar mounts fine. Are you saying rar files shouldn't be mounted in guest mode either? I don't see a vulnerability here, sounds like zip files are also supported as long as an extension/app is installed to handle them too.
If all archives are banned for security reasons then RAR should be also.

However, we are more concerned about the fact that the file names of files coming out of RARs are not escaped properly in Chrome.
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 18 2016

Labels: -Needs-Feedback Needs-Review
Owner: mea...@chromium.org
Status: Assigned (was: Unconfirmed)
Thank you for providing more feedback. Assigning to requester "meacer@chromium.org" for another review.

For more details visit https://sites.google.com/a/chromium.org/dev/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by mea...@chromium.org, Mar 18 2016

> If all archives are banned for security reasons then RAR should be also.

That was my question, I don't see any indication that other archive types are banned. For zip files I'm getting an error that says I need to install an extension or app to open the file.

> However, we are more concerned about the fact that the file names of files coming out of RARs are not escaped properly in Chrome.

Can you please file a separate bug for this?

Comment 5 by mea...@chromium.org, Mar 18 2016

Components: Platform>Apps>FileManager
Owner: mtomasz@chromium.org
mtomasz: Assigning to you, please reassign as appropriate. Does ChromeOS explicitly block archive types from mounting in Guest mode?
meacer: Filed as a separate bug - 596298

Comment 7 by mea...@chromium.org, Mar 21 2016

Labels: OS-Chrome
Cc: fukino@chromium.org
Status: WontFix (was: Assigned)
That's true that RAR works in guest mode, but ZIP doesn't. It's inconsistent, but working as intended. Note, that RAR is using FUSE, which we want to stop using in the long term.

RAR and ZIP use completely different flow. RAR uses FUSE, ZIP uses FSP API. We want to migrate RAR to use FSP API but we're blocked on libarchive library which we're using for archives.

Closing as WontFix. As for file names, I'll comment in crbug.com/596298.
Project Member

Comment 9 by sheriffbot@chromium.org, Jun 28 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Cc: ya...@nightwatchcybersecurity.com

Sign in to add a comment