Issue 654279 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	rob@robwu.nl
Closed:	Oct 2016
Cc:	█ raymes@chromium.org thestig@chromium.org
Components:	Internals>Plugins>PDF
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	1
Type:	Bug-Security
Reward-1000 M-55 Security_Impact-Stable Security_Severity-Medium allpublic reward-inprocess merge-merged-2883 Release-0-M55 CVE-2016-5220 CVE_description-submitted

Security: PDFs can navigate to file:-URLs

Project Member Reported by rob@robwu.nl, Oct 9 2016

Issue description

Chrome version: 53.0.2785.116 (stable) and latest (56.0.2886.0).

1. Open attached PDF.
2. Ctrl-click on the PDF file (middle-mouse and shift also work in Chrome 54 onwards thanks to  bug 630075 ).
3. Observe that file:///tmp/ is being opened (as an example).

This is like  bug 533520 , except with key modifiers.

poc.pdf
638 bytes Download

Comment 1 by rob@robwu.nl, Oct 9 2016

Cc: thestig@chromium.org
Owner: rob@robwu.nl
Status: Started (was: Unconfirmed)

Patch: https://codereview.chromium.org/2402873002

Comment 2 by tsepez@chromium.org, Oct 10 2016

Labels: M-55 Security_Severity-Medium Security_Impact-Stable Pri-2

Severity medium per previous bug with these consequences.

Comment 3 by thestig@chromium.org, Oct 10 2016

Cc: raymes@chromium.org

Project Member

Comment 4 by sheriffbot@chromium.org, Oct 11 2016

Labels: -Pri-2 Pri-1

Project Member

Comment 5 by bugdroid1@chromium.org, Oct 14 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/374249e767a68d8da073a4ed3a4f29236451174c

commit 374249e767a68d8da073a4ed3a4f29236451174c
Author: rob <rob@robwu.nl>
Date: Fri Oct 14 10:13:14 2016

Add check for file:-navigations from PDFs

BUG= 654279 
TEST=./browser_tests --gtest_filter=PDFExtensionTest.Navigator
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2402873002
Cr-Commit-Position: refs/heads/master@{#425287}

[modify] https://crrev.com/374249e767a68d8da073a4ed3a4f29236451174c/chrome/browser/resources/pdf/navigator.js
[modify] https://crrev.com/374249e767a68d8da073a4ed3a4f29236451174c/chrome/browser/resources/pdf/pdf.js
[modify] https://crrev.com/374249e767a68d8da073a4ed3a4f29236451174c/chrome/test/data/pdf/navigator_test.js

Comment 6 by thestig@chromium.org, Oct 14 2016

Status: Fixed (was: Started)

Project Member

Comment 7 by sheriffbot@chromium.org, Oct 15 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 8 by rob@robwu.nl, Oct 17 2016

Labels: Merge-Request-55

Comment 9 by dimu@chromium.org, Oct 17 2016

Labels: -Merge-Request-55 Merge-Approved-55 Hotlist-Merge-Approved

Your change meets the bar and is auto-approved for M55 (branch: 2883)

Project Member

Comment 10 by bugdroid1@chromium.org, Oct 17 2016

Labels: -merge-approved-55 merge-merged-2883

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c337558010508f6e27594e2683ddcf2f8813fc89

commit c337558010508f6e27594e2683ddcf2f8813fc89
Author: Rob Wu <rob@robwu.nl>
Date: Mon Oct 17 11:54:00 2016

Add check for file:-navigations from PDFs

BUG= 654279 
TEST=./browser_tests --gtest_filter=PDFExtensionTest.Navigator
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2402873002
Cr-Commit-Position: refs/heads/master@{#425287}
(cherry picked from commit 374249e767a68d8da073a4ed3a4f29236451174c)

Review URL: https://codereview.chromium.org/2424783002 .

Cr-Commit-Position: refs/branch-heads/2883@{#146}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/browser/resources/pdf/navigator.js
[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/browser/resources/pdf/pdf.js
[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/test/data/pdf/navigator_test.js

Comment 11 by awhalley@chromium.org, Oct 18 2016

Labels: reward-topanel

Comment 12 by awhalley@chromium.org, Oct 27 2016

Labels: -reward-topanel reward-unpaid reward-1000

Comment 13 by awhalley@chromium.org, Oct 27 2016

$1,000 for this report - many thanks!

Project Member

Comment 14 by bugdroid1@chromium.org, Oct 27 2016

Labels: merge-merged-2840

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c337558010508f6e27594e2683ddcf2f8813fc89

commit c337558010508f6e27594e2683ddcf2f8813fc89
Author: Rob Wu <rob@robwu.nl>
Date: Mon Oct 17 11:54:00 2016

Add check for file:-navigations from PDFs

BUG= 654279 
TEST=./browser_tests --gtest_filter=PDFExtensionTest.Navigator
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:closure_compilation

Review-Url: https://codereview.chromium.org/2402873002
Cr-Commit-Position: refs/heads/master@{#425287}
(cherry picked from commit 374249e767a68d8da073a4ed3a4f29236451174c)

Review URL: https://codereview.chromium.org/2424783002 .

Cr-Commit-Position: refs/branch-heads/2883@{#146}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/browser/resources/pdf/navigator.js
[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/browser/resources/pdf/pdf.js
[modify] https://crrev.com/c337558010508f6e27594e2683ddcf2f8813fc89/chrome/test/data/pdf/navigator_test.js

Comment 15 by awhalley@chromium.org, Oct 28 2016

Labels: -reward-unpaid reward-inprocess

Comment 16 by rob@robwu.nl, Nov 1 2016

Labels: -merge-merged-2840

(not merged, budroid comment is wrong - https://groups.google.com/a/chromium.org/d/msg/chromium-dev/sJ7gZLqyJ-g/k-CbRUrnBwAJ)

Comment 17 by awhalley@chromium.org, Nov 7 2016

Labels: -Hotlist-Merge-Approved

Comment 18 by awhalley@chromium.org, Nov 29 2016

Labels: Release-0-M55

Comment 19 by awhalley@chromium.org, Jan 4 2017

Labels: CVE-2016-5220

Project Member

Comment 20 by sheriffbot@chromium.org, Jan 21 2017

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 21 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

►

Issue 654279 link

Issue metadata

Security: PDFs can navigate to file:-URLs

Issue description

Comment 1 by rob@robwu.nl, Oct 9 2016

Comment 1 Deleted

Comment 2 by tsepez@chromium.org, Oct 10 2016

Comment 2 Deleted

Comment 3 by thestig@chromium.org, Oct 10 2016

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Oct 11 2016

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Oct 14 2016

Comment 5 Deleted

Comment 6 by thestig@chromium.org, Oct 14 2016

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Oct 15 2016

Comment 7 Deleted

Comment 8 by rob@robwu.nl, Oct 17 2016

Comment 8 Deleted

Comment 9 by dimu@chromium.org, Oct 17 2016

Comment 9 Deleted

Comment 10 by bugdroid1@chromium.org, Oct 17 2016

Comment 10 Deleted

Comment 11 by awhalley@chromium.org, Oct 18 2016

Comment 11 Deleted

Comment 12 by awhalley@chromium.org, Oct 27 2016

Comment 12 Deleted

Comment 13 by awhalley@chromium.org, Oct 27 2016

Comment 13 Deleted

Comment 14 by bugdroid1@chromium.org, Oct 27 2016

Comment 14 Deleted

Comment 15 by awhalley@chromium.org, Oct 28 2016

Comment 15 Deleted

Comment 16 by rob@robwu.nl, Nov 1 2016

Comment 16 Deleted

Comment 17 by awhalley@chromium.org, Nov 7 2016

Comment 17 Deleted

Comment 18 by awhalley@chromium.org, Nov 29 2016

Comment 18 Deleted

Comment 19 by awhalley@chromium.org, Jan 4 2017

Comment 19 Deleted

Comment 20 by sheriffbot@chromium.org, Jan 21 2017

Comment 20 Deleted

Comment 21 by awhalley@chromium.org, Apr 25 2018

Comment 21 Deleted

Sign in to add a comment