New issue
Advanced search Search tips

Issue 701762 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Arbitrary local file detection under file:// protocol

Reported by junoro...@gmail.com, Mar 15 2017 
VULNERABILITY DETAILS
Arbitrary local file detection under file:// protocol

VERSION
Version 57.0.2987.98 (64-bit) + stable
Operating System: macOS Sierra 10.12.3

REPRODUCTION CASE

https://www.youtube.com/watch?v=sT1ma72N7sA

Comment 1 by elawrence@chromium.org, Mar 15 2017

Components: Internals>Network
In this scenario, you're running your exploit from the file:// protocol, which means that the page has permission to load other files via the file:// protocol. This attack wouldn't work from a page served via HTTP or HTTPS. 

Chrome's security model forbids navigation from web content to the file:// protocol.

Comment 2 by tsepez@chromium.org, Mar 15 2017

Status: WontFix (was: Unconfirmed)
Wontfix per C1.

Comment 3 Deleted

Comment 4 Deleted

Project Member

Comment 5 by sheriffbot@chromium.org, Jun 22 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment