New issue
Advanced search Search tips

Issue 623902 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jun 2016
Cc:
palmer@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Google Chrome Bug viewing Bat file loaded with javascript

Reported by ronaldod...@gmail.com, Jun 28 2016 
Google Chrome prevent user from downloading a bat file or executing it va browser and instead you can view it on Google Chrome. It will not run the code but it will translate as text. Since the bat file can view on chrome we can use it to hide the Javascript. Because it does not filter the html file or javascript inside the bat file.<br>
<br>
Like when opening a text.txt when you put a html code and javascript it doesnt run but in 1.bat file when you put a javascript and html file it will run the malicious javascript<br>
<br>
<br>
<br>
Google Chrome Browser Version<br>
51.0.2704.106 m<br>
<br>
GoogleChrome.png
198 KB View Download

Comment 1 by ronaldod...@gmail.com, Jun 28 2016 

OS: WINDOWS

Comment 2 by palmer@chromium.org, Jun 28 2016

Cc: palmer@chromium.org
Status: WontFix (was: Unconfirmed)
The JavaScript will run in the context of its own origin (e.g. the origin file:///Users/Somebody/Desktop/foo.bat is a distinct origin). It will thus have no access to resources or credentials scoped to any other origin.

If you can break that guarantee, that of course would be a bad vulnerability. Please do comment on this bug if you have evidence of that, and I'll re-open it.

Comment 3 by ronaldod...@gmail.com, Jun 29 2016 

Ok ill provide

Comment 4 by ronaldod...@gmail.com, Jun 30 2016 

Wait. . If https://site/foo.bat 

And the foo.bat content is for example Start Calc.exe 

The user will not be able to download that bat file right? Because it will be view or save as foo.bat.txt when the user save the file.
What if we can trigger the chrome to download a bat file? Is it a vulnerability?

Comment 5 by palmer@chromium.org, Jun 30 2016 

Chrome will let people download bad things, including outright malware. But, the more dangerous it is (such as if SafeBrowsing reports it to be malware), the more roadblocks we put up in the UX.

But, ultimately, if people want to download and run malicious .BAT files from the web, that's not a vulnerability in Chrome. We warn and advise, but do not claim control of people's browsing.

Comment 6 Deleted

Project Member

Comment 7 by sheriffbot@chromium.org, Oct 5 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment