New issue
Advanced search Search tips

Issue 637639 link

Starred by 3 users
Status: Assigned
Owner:
tkent@chromium.org
Components:
EstimatedDays: ----
NextAction: 2018-09-18
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

File upload dialogue can be seemed to be opened on arbitrary websites.

Reported by greencar...@hotmail.com, Aug 15 2016 
VULNERABILITY DETAILS
The dialogue that opens to upload files can be made to seem as if its opening from a trusted domain by triggering it to open at the same time as opening a new URL. A potential victim can be tricked into disclosing private files.

VERSION
Chrome Version: 52.0.2743.116 m (64-bit) + Stable
Operating System: Windows 8.1 64bit

REPRODUCTION CASE
------------------------------------
<style>
#q{opacity:0.0;}
</style>
<input type="file" id="q"/>
<button id="qbutt">Click me</button>
<script>
var pop;
qbutt.onclick=function(){q.click();
	pop=open('https://drive.google.com/drive/my-drive',123);
}
</script>
-----------------------------------

Comment 1 by och...@chromium.org, Aug 15 2016

Components: Blink>Input
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Thanks for the report. I'm not sure if there's much we can do here, and it seems to me that exploiting this behaviour wouldn't really be convincing in most scenarios.

I'll hand this over to the blink input folks for their thoughts.

Comment 2 Deleted

Comment 3 by dtapu...@chromium.org, Aug 16 2016

Components: -Blink>Input Blink>Forms

Comment 4 by tkent@chromium.org, Aug 16 2016

Labels: OS-Linux OS-Mac OS-Windows Pri-2
Status: Available (was: Unconfirmed)
Summary: File upload dialogue can be seemed to be opened on arbitrary websites. (was: Security: File upload dialogue can be seemed to be opened on arbitrary websites.)
We should close the file chooser dialog when a new tab is open.

Comment 5 by tkent@chromium.org, Aug 19 2016

Components: -Blink>Forms Blink>Forms>File
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 21 2017

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by tkent@chromium.org, Aug 22 2017

Labels: -Hotlist-Recharge-Cold
Status: Available (was: Untriaged)

Comment 8 by tkent@chromium.org, Jun 25 2018 

Issue 855278 has been merged into this issue.
Project Member

Comment 9 by bugdroid1@chromium.org, Jun 25 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/93c712cc6aae7e36b623c21a9ef8c3f78527a256

commit 93c712cc6aae7e36b623c21a9ef8c3f78527a256
Author: Kent Tamura <tkent@chromium.org>
Date: Mon Jun 25 08:23:22 2018

Make blink::PopupOpeningObserver a GarbageCollectedMixin

All of PopupOpeningObserver implementors are on GC heap, and having
raw pointers to them is dangerous.

This CL is a preparation to make blink::FileInputType a
PopupOpeningObserver.

Bug: 637639
Change-Id: Iee014462716cc3c3de91ddf365ab8644e2de5f2e
Reviewed-on: https://chromium-review.googlesource.com/1113084
Commit-Queue: Kent Tamura <tkent@chromium.org>
Reviewed-by: Keishi Hattori <keishi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569983}
[modify] https://crrev.com/93c712cc6aae7e36b623c21a9ef8c3f78527a256/third_party/blink/renderer/core/html/forms/spin_button_element.h
[modify] https://crrev.com/93c712cc6aae7e36b623c21a9ef8c3f78527a256/third_party/blink/renderer/core/page/chrome_client_impl.cc
[modify] https://crrev.com/93c712cc6aae7e36b623c21a9ef8c3f78527a256/third_party/blink/renderer/core/page/chrome_client_impl.h
[modify] https://crrev.com/93c712cc6aae7e36b623c21a9ef8c3f78527a256/third_party/blink/renderer/core/page/popup_opening_observer.h
Project Member

Comment 10 by bugdroid1@chromium.org, Jun 27 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/428b9a51de926f68b27473adf85d2b942770d135

commit 428b9a51de926f68b27473adf85d2b942770d135
Author: Kent Tamura <tkent@chromium.org>
Date: Wed Jun 27 09:32:00 2018

test_runner: Support file selection with RunFileChooser().

Add a mock implementation of RunFileChooser(), with a testRunner
function setFileChooserPaths().

Bug: 637639
Change-Id: Ic5536524b2a5381556605b79e1907429d985e245
Reviewed-on: https://chromium-review.googlesource.com/1114573
Reviewed-by: Keishi Hattori <keishi@chromium.org>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/master@{#570711}
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/content/shell/test_runner/test_runner.cc
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/content/shell/test_runner/test_runner.h
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/content/shell/test_runner/web_frame_test_client.cc
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/content/shell/test_runner/web_frame_test_client.h
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/accessibility/file-upload-button-with-axpress-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/events/domactivate-sets-underlying-click-event-as-handled-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-click-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-click.html
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-key-enter-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-key-enter.html
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-key-other-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-key-other.html
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-key-space-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-key-space.html
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-click-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-click.html
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-key-enter-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-key-enter-prevent-keypress-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-key-enter-prevent-keypress.html
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-key-enter-prevent-keyup-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-key-enter-prevent-keyup.html
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-key-enter.html
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-key-other-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-key-other.html
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-key-space-expected.txt
[modify] https://crrev.com/428b9a51de926f68b27473adf85d2b942770d135/third_party/WebKit/LayoutTests/fast/forms/file/file-input-webkitdirectory-key-space.html
Project Member

Comment 11 by bugdroid1@chromium.org, Jul 2 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/98e6b138001317bbcc548841f26bd3f084fd0196

commit 98e6b138001317bbcc548841f26bd3f084fd0196
Author: Kent Tamura <tkent@chromium.org>
Date: Mon Jul 02 03:31:19 2018

test_runner: Do not show "FileChooser: canceled" message after resetting TestRunner.

Bug: 637639
Change-Id: I2381fef29364924ca5d615ecf61222472c657d50
Reviewed-on: https://chromium-review.googlesource.com/1119947
Commit-Queue: Kent Tamura <tkent@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#571811}
[modify] https://crrev.com/98e6b138001317bbcc548841f26bd3f084fd0196/content/shell/test_runner/test_runner.cc
[modify] https://crrev.com/98e6b138001317bbcc548841f26bd3f084fd0196/content/shell/test_runner/test_runner.h
[modify] https://crrev.com/98e6b138001317bbcc548841f26bd3f084fd0196/content/shell/test_runner/web_frame_test_client.cc
Project Member

Comment 12 by bugdroid1@chromium.org, Jul 17 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0b46e1db3d88b762411614d6ae7bbe4f1d5cd6e0

commit 0b46e1db3d88b762411614d6ae7bbe4f1d5cd6e0
Author: Kent Tamura <tkent@chromium.org>
Date: Tue Jul 17 08:08:20 2018

Forms: Add a UseCounter for opening popups while a file chooser is opening

We'd like to fix a confusing UI issue, and to know the impact
of a possible fix.

Bug: 637639
Change-Id: I7af67ac314f61723c7904cf0fee408ac2b60e774
Reviewed-on: https://chromium-review.googlesource.com/1139940
Commit-Queue: Kent Tamura <tkent@chromium.org>
Reviewed-by: Keishi Hattori <keishi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#575575}
[modify] https://crrev.com/0b46e1db3d88b762411614d6ae7bbe4f1d5cd6e0/third_party/blink/public/platform/web_feature.mojom
[modify] https://crrev.com/0b46e1db3d88b762411614d6ae7bbe4f1d5cd6e0/third_party/blink/renderer/core/html/forms/file_chooser.cc
[modify] https://crrev.com/0b46e1db3d88b762411614d6ae7bbe4f1d5cd6e0/third_party/blink/renderer/core/html/forms/file_chooser.h
[modify] https://crrev.com/0b46e1db3d88b762411614d6ae7bbe4f1d5cd6e0/third_party/blink/renderer/core/html/forms/file_input_type.cc
[modify] https://crrev.com/0b46e1db3d88b762411614d6ae7bbe4f1d5cd6e0/third_party/blink/renderer/core/html/forms/file_input_type.h
[modify] https://crrev.com/0b46e1db3d88b762411614d6ae7bbe4f1d5cd6e0/third_party/blink/renderer/core/page/chrome_client_impl.cc
[modify] https://crrev.com/0b46e1db3d88b762411614d6ae7bbe4f1d5cd6e0/tools/metrics/histograms/enums.xml

Comment 13 by tkent@chromium.org, Jul 17

NextAction: 2018-09-18
Owner: tkent@chromium.org
Status: Assigned (was: Available)
M69 will have the UseCounter.
Project Member

Comment 14 by bugdroid1@chromium.org, Jul 17 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f1b5a26838cdbfdef0fa2a4ce8c4d2112ec03bc7

commit f1b5a26838cdbfdef0fa2a4ce8c4d2112ec03bc7
Author: Owen Min <zmin@chromium.org>
Date: Tue Jul 17 15:13:40 2018

Revert "Forms: Add a UseCounter for opening popups while a file chooser is opening"

This reverts commit 0b46e1db3d88b762411614d6ae7bbe4f1d5cd6e0.

Reason for revert: Causing multiple layout tests failed based on findit.

Original change's description:
> Forms: Add a UseCounter for opening popups while a file chooser is opening
> 
> We'd like to fix a confusing UI issue, and to know the impact
> of a possible fix.
> 
> Bug: 637639
> Change-Id: I7af67ac314f61723c7904cf0fee408ac2b60e774
> Reviewed-on: https://chromium-review.googlesource.com/1139940
> Commit-Queue: Kent Tamura <tkent@chromium.org>
> Reviewed-by: Keishi Hattori <keishi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#575575}

TBR=keishi@chromium.org,tkent@chromium.org

Change-Id: I4bd3877c33ea7a70a7a7d0d53b7cbb1411240da3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 637639
Reviewed-on: https://chromium-review.googlesource.com/1140393
Reviewed-by: Owen Min <zmin@chromium.org>
Commit-Queue: Owen Min <zmin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#575643}
[modify] https://crrev.com/f1b5a26838cdbfdef0fa2a4ce8c4d2112ec03bc7/third_party/blink/public/platform/web_feature.mojom
[modify] https://crrev.com/f1b5a26838cdbfdef0fa2a4ce8c4d2112ec03bc7/third_party/blink/renderer/core/html/forms/file_chooser.cc
[modify] https://crrev.com/f1b5a26838cdbfdef0fa2a4ce8c4d2112ec03bc7/third_party/blink/renderer/core/html/forms/file_chooser.h
[modify] https://crrev.com/f1b5a26838cdbfdef0fa2a4ce8c4d2112ec03bc7/third_party/blink/renderer/core/html/forms/file_input_type.cc
[modify] https://crrev.com/f1b5a26838cdbfdef0fa2a4ce8c4d2112ec03bc7/third_party/blink/renderer/core/html/forms/file_input_type.h
[modify] https://crrev.com/f1b5a26838cdbfdef0fa2a4ce8c4d2112ec03bc7/third_party/blink/renderer/core/page/chrome_client_impl.cc
[modify] https://crrev.com/f1b5a26838cdbfdef0fa2a4ce8c4d2112ec03bc7/tools/metrics/histograms/enums.xml
Project Member

Comment 15 by bugdroid1@chromium.org, Jul 18 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6bfe210aa3c20ebf1db6ce788991f24e1eace4c7

commit 6bfe210aa3c20ebf1db6ce788991f24e1eace4c7
Author: Kent Tamura <tkent@chromium.org>
Date: Wed Jul 18 03:17:04 2018

Reland "Forms: Add a UseCounter for opening popups while a file chooser is opening"

We'd like to fix a confusing UI issue, and to know the impact
of a possible fix.

This relands #575575, which caused node leaks.
If a document is navigated out while a file chooser is opening,
ChromeClientImpl holded a strong reference to a FileInputType and the
whole document leaked.
This CL changes the reference from strong one to weak one.

Bug: 637639
Change-Id: I5dccade80e433ac53de4bb205abab58380b0a5f2
Reviewed-on: https://chromium-review.googlesource.com/1140339
Reviewed-by: Keishi Hattori <keishi@chromium.org>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/master@{#575923}
[modify] https://crrev.com/6bfe210aa3c20ebf1db6ce788991f24e1eace4c7/third_party/blink/public/platform/web_feature.mojom
[modify] https://crrev.com/6bfe210aa3c20ebf1db6ce788991f24e1eace4c7/third_party/blink/renderer/core/html/forms/file_chooser.cc
[modify] https://crrev.com/6bfe210aa3c20ebf1db6ce788991f24e1eace4c7/third_party/blink/renderer/core/html/forms/file_chooser.h
[modify] https://crrev.com/6bfe210aa3c20ebf1db6ce788991f24e1eace4c7/third_party/blink/renderer/core/html/forms/file_input_type.cc
[modify] https://crrev.com/6bfe210aa3c20ebf1db6ce788991f24e1eace4c7/third_party/blink/renderer/core/html/forms/file_input_type.h
[modify] https://crrev.com/6bfe210aa3c20ebf1db6ce788991f24e1eace4c7/third_party/blink/renderer/core/page/chrome_client_impl.cc
[modify] https://crrev.com/6bfe210aa3c20ebf1db6ce788991f24e1eace4c7/third_party/blink/renderer/core/page/chrome_client_impl.h
[modify] https://crrev.com/6bfe210aa3c20ebf1db6ce788991f24e1eace4c7/tools/metrics/histograms/enums.xml
Project Member

Comment 16 by bugdroid1@chromium.org, Aug 16 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/792053beea4514aa8afcf0c04461ad6f6f0f4b7e

commit 792053beea4514aa8afcf0c04461ad6f6f0f4b7e
Author: Kent Tamura <tkent@chromium.org>
Date: Thu Aug 16 12:35:00 2018

input[type=file]: Move responsibility for PopupOpeningObserver registration from FileInputType to FileChooser.

We saw a DCHECK failure when a user dropped a directory to <input
type=file webkitdiretorty> because FileInputType::FilesChosen()
tried to unregister PopupOpeningObserver though
FileInputType::SetFilesFromDirectory() didn't call
ChromeClient::RegisterPopupOpeningObserver().

This CL moves the registration code from FileInputType to
FileChooser. It's difficult for FileInputType to know exact
timing of showing/hiding FileChooser dialogs because we have a
FileChooser queue in ChromeClientImpl. FileChooser knows it.
Because the FileChooserClient implementation is also a
PopupOpeningObserver implementation, this CL merges them into one
for code simplicity.

Bug: 637639
Change-Id: Ia9f64c212db635b3438431b4c61f06d257300839
Reviewed-on: https://chromium-review.googlesource.com/1177212
Reviewed-by: Keishi Hattori <keishi@chromium.org>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/master@{#583614}
[modify] https://crrev.com/792053beea4514aa8afcf0c04461ad6f6f0f4b7e/third_party/blink/renderer/core/html/forms/file_chooser.cc
[modify] https://crrev.com/792053beea4514aa8afcf0c04461ad6f6f0f4b7e/third_party/blink/renderer/core/html/forms/file_chooser.h
[modify] https://crrev.com/792053beea4514aa8afcf0c04461ad6f6f0f4b7e/third_party/blink/renderer/core/html/forms/file_input_type.cc
[modify] https://crrev.com/792053beea4514aa8afcf0c04461ad6f6f0f4b7e/third_party/blink/renderer/core/html/forms/file_input_type.h
[modify] https://crrev.com/792053beea4514aa8afcf0c04461ad6f6f0f4b7e/third_party/blink/renderer/core/html/forms/file_input_type_test.cc

Comment 17 by monor...@bugs.chromium.org, Sep 18 

The NextAction date has arrived: 2018-09-18

Sign in to add a comment