Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 654279 Security: PDFs can navigate to file:-URLs
Starred by 2 users Project Member Reported by rob@robwu.nl, Oct 9 2016 Back to list
Status: Fixed
Owner:
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Chrome version: 53.0.2785.116 (stable) and latest (56.0.2886.0).

1. Open attached PDF.
2. Ctrl-click on the PDF file (middle-mouse and shift also work in Chrome 54 onwards thanks to  bug 630075 ).
3. Observe that file:///tmp/ is being opened (as an example).

This is like  bug 533520 , except with key modifiers.
 
poc.pdf
638 bytes Download
Comment 1 by rob@robwu.nl, Oct 9 2016
Cc: thestig@chromium.org
Owner: rob@robwu.nl
Status: Started
Patch: https://codereview.chromium.org/2402873002
Comment 2 by tsepez@chromium.org, Oct 10 2016
Labels: M-55 Security_Severity-Medium Security_Impact-Stable Pri-2
Severity medium per previous bug with these consequences.
Cc: raymes@chromium.org
Project Member Comment 4 by sheriffbot@chromium.org, Oct 11 2016
Labels: -Pri-2 Pri-1
Project Member Comment 5 by bugdroid1@chromium.org, Oct 14 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/374249e767a68d8da073a4ed3a4f29236451174c

commit 374249e767a68d8da073a4ed3a4f29236451174c
Author: rob <rob@robwu.nl>
Date: Fri Oct 14 10:13:14 2016

Add check for file:-navigations from PDFs

BUG= 654279 
TEST=./browser_tests --gtest_filter=PDFExtensionTest.Navigator
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2402873002
Cr-Commit-Position: refs/heads/master@{#425287}

[modify] https://crrev.com/374249e767a68d8da073a4ed3a4f29236451174c/chrome/browser/resources/pdf/navigator.js
[modify] https://crrev.com/374249e767a68d8da073a4ed3a4f29236451174c/chrome/browser/resources/pdf/pdf.js
[modify] https://crrev.com/374249e767a68d8da073a4ed3a4f29236451174c/chrome/test/data/pdf/navigator_test.js

Status: Fixed
Project Member Comment 7 by sheriffbot@chromium.org, Oct 15 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Comment 8 by rob@robwu.nl, Oct 17 2016
Labels: Merge-Request-55
Comment 9 by dimu@chromium.org, Oct 17 2016
Labels: -Merge-Request-55 Merge-Approved-55 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M55 (branch: 2883)
Project Member Comment 10 by bugdroid1@chromium.org, Oct 17 2016
Labels: -merge-approved-55 merge-merged-2883
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c337558010508f6e27594e2683ddcf2f8813fc89

commit c337558010508f6e27594e2683ddcf2f8813fc89
Author: Rob Wu <rob@robwu.nl>
Date: Mon Oct 17 11:54:00 2016

Add check for file:-navigations from PDFs

BUG= 654279 
TEST=./browser_tests --gtest_filter=PDFExtensionTest.Navigator
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2402873002
Cr-Commit-Position: refs/heads/master@{#425287}
(cherry picked from commit 374249e767a68d8da073a4ed3a4f29236451174c)

Review URL: https://codereview.chromium.org/2424783002 .

Cr-Commit-Position: refs/branch-heads/2883@{#146}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/browser/resources/pdf/navigator.js
[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/browser/resources/pdf/pdf.js
[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/test/data/pdf/navigator_test.js

Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-1000
$1,000 for this report - many thanks!
Project Member Comment 14 by bugdroid1@chromium.org, Oct 27 2016
Labels: merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c337558010508f6e27594e2683ddcf2f8813fc89

commit c337558010508f6e27594e2683ddcf2f8813fc89
Author: Rob Wu <rob@robwu.nl>
Date: Mon Oct 17 11:54:00 2016

Add check for file:-navigations from PDFs

BUG= 654279 
TEST=./browser_tests --gtest_filter=PDFExtensionTest.Navigator
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2402873002
Cr-Commit-Position: refs/heads/master@{#425287}
(cherry picked from commit 374249e767a68d8da073a4ed3a4f29236451174c)

Review URL: https://codereview.chromium.org/2424783002 .

Cr-Commit-Position: refs/branch-heads/2883@{#146}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/browser/resources/pdf/navigator.js
[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/browser/resources/pdf/pdf.js
[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/test/data/pdf/navigator_test.js

Labels: -reward-unpaid reward-inprocess
Comment 16 by rob@robwu.nl, Nov 1 2016
Labels: -merge-merged-2840
(not merged, budroid comment is wrong - https://groups.google.com/a/chromium.org/d/msg/chromium-dev/sJ7gZLqyJ-g/k-CbRUrnBwAJ)
Labels: -Hotlist-Merge-Approved
Labels: Release-0-M55
Labels: CVE-2016-5220
Project Member Comment 20 by sheriffbot@chromium.org, Jan 21
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment