New issue
Advanced search Search tips

Issue 755491 link

Starred by 3 users
Status: WontFix
Owner:
qin...@chromium.org
Closed: Feb 2018
Cc:
xingliu@chromium.org
dtrainor@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

embed tag download certain files without consent

Reported by edward.b...@gmail.com, Aug 15 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36

Steps to reproduce the problem:
1. Create html page with <embed src="whatever" />
2. Open in chrome
3. File downloads without consent

What is the expected behavior?
File not to download without consent

What went wrong?
File downloaded without consent.

Works with .mid, .docx, .pfx, haven't tested with many others. I'd imagine there's a list of file ext's to mime-types that are exploitable...

Did this work before? N/A 

Chrome version: 60.0.3112.90  Channel: n/a
OS Version: 10.0
Flash Version:
test.zip
263 bytes Download

Comment 1 by edward.b...@gmail.com, Aug 15 2017 

A better title would be without consent or user interaction, I suppose....

Works with .zip too.

It's not /that/ bad but nuisance files could be downloaded.

Doesn't work with .com, .bat, .exe, .msi.

Spec says "If the user agent can't find a suitable plugin when attempting to find and instantiate one for the algorithm above, then the user agent must use a default plugin. This default could be as simple as saying "Unsupported Format"." I imagine the default is download file -- highly unusual!

Also reproducible on chrome mobile.

Comment 2 by edward.b...@gmail.com, Aug 15 2017 

Similar to #527173 which is nearly 2 years old

Comment 3 by edward.b...@gmail.com, Aug 15 2017 

May be worth noting that Firefox, Edge and IE do not download the file

Comment 4 by elawrence@chromium.org, Aug 15 2017

Components: UI>Browser>Downloads
I believe this is working-as-intended, and just one of several mechanisms for triggering a file download; Chrome doesn't prompt for most file downloads, although the behavior depends on heuristics including the file type and the user's interaction with the website.

By default, the setting of "Ask where to save each file before downloading" is off (see chrome://settings/?search=download)

Comment 5 by rsesek@chromium.org, Aug 17 2017

Cc: dtrainor@chromium.org xingliu@chromium.org
Owner: qin...@chromium.org
Status: Assigned (was: Unconfirmed)
qinmin: Can you please evaluate this (see #4). Thanks!

Comment 6 by rsesek@chromium.org, Aug 21 2017

Labels: Security_Impact-Stable Security_Severity-Low

Comment 7 by dtrainor@chromium.org, Feb 7 2018

Status: WontFix (was: Assigned)
Working as intended.  If we want to revisit the decision feel free to reopen!
Project Member

Comment 8 by sheriffbot@chromium.org, May 17 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment