Issue metadata
Sign in to add a comment
|
Security: Possible RAR issues in ChromeOS guest mode
Reported by
resea...@nightwatchcybersecurity.com,
Mar 17 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS RAR files are accessible while in Guest mode, while all other archives (ZIP, tar, tar.gz, etc) are not. Additionally, because of bug # 579035, we observed that double clicking on a file inside the RAR file does not properly encode the name of the file when opening in Chrome. We are attaching a test RAR file and a screenshot. Third, because archives are processed as mounted file systems, it may be possible that they will result in different file permissions then regular downloaded files. VERSION Chrome Version: 49.0.2623.95 (Official Build) (64-bit) Operating System: ChromeOS 7834.60.0 (= Official Build) stable-channel parrot REPRODUCTION CASE Open a RAR file, and see it mount. Also, double click the non-English PDF file inside and observe the name un-encoded in Chrome. File originally came from: http://www.mesherasrub.ru/Kak_postroit_selskii_dom.rar
,
Mar 18 2016
If all archives are banned for security reasons then RAR should be also. However, we are more concerned about the fact that the file names of files coming out of RARs are not escaped properly in Chrome.
,
Mar 18 2016
Thank you for providing more feedback. Assigning to requester "meacer@chromium.org" for another review. For more details visit https://sites.google.com/a/chromium.org/dev/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 18 2016
> If all archives are banned for security reasons then RAR should be also. That was my question, I don't see any indication that other archive types are banned. For zip files I'm getting an error that says I need to install an extension or app to open the file. > However, we are more concerned about the fact that the file names of files coming out of RARs are not escaped properly in Chrome. Can you please file a separate bug for this?
,
Mar 18 2016
mtomasz: Assigning to you, please reassign as appropriate. Does ChromeOS explicitly block archive types from mounting in Guest mode?
,
Mar 20 2016
meacer: Filed as a separate bug - 596298
,
Mar 21 2016
,
Mar 22 2016
That's true that RAR works in guest mode, but ZIP doesn't. It's inconsistent, but working as intended. Note, that RAR is using FUSE, which we want to stop using in the long term. RAR and ZIP use completely different flow. RAR uses FUSE, ZIP uses FSP API. We want to migrate RAR to use FSP API but we're blocked on libarchive library which we're using for archives. Closing as WontFix. As for file names, I'll comment in crbug.com/596298.
,
Jun 28 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Mar 9 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mea...@chromium.org
, Mar 18 2016