New issue
Advanced search Search tips

Issue 762702 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Download Protection Bypass .html files can be modified to bypass Full Ping

Reported by bjornbjo...@gmail.com, Sep 6 2017

Issue description

VERSION
Chromium Version: 60.0.3112.113 (Developer Build) 64-bit
Operating System: Ubuntu 16.04.3 LTS 64-bit

REPRODUCTION CASE

a .html file Full Ping upon download can be bypassed by renaming the filename extension to either .xhtml or .xht , e.g. text.html -> test.xhtml. 
Chromium does not check this filename extensions.
To work better the .html file should be coded according to xhtml style :

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
  <title>Title of document</title>
</head>

<body>
  some content 
</body>

</html>

after download the modified .html files can be opened within chromium[downloads].


im attaching my test files.
 
alert test.html
307 bytes View Download
alert test.xht
307 bytes Download
alert test.xhtml
307 bytes View Download
also since html and htm are being flagged because of

This extension is abused by UwS campaigns to evade referrer
  # attribution via a two-level download scheme. crbug.com/719784
[according to a comment in download_file_types.asciipb]

xhtml and xht should probably be flagged as well.
Labels: SafeBrowsing-Triaged
Owner: nparker@chromium.org
Status: Assigned (was: Unconfirmed)
Thanks for the report. I agree we should send pings for these types.
Project Member

Comment 3 by bugdroid1@chromium.org, Sep 9 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b831645dfbabd332f47a782bdb47bf3cc10d830a

commit b831645dfbabd332f47a782bdb47bf3cc10d830a
Author: Nathan Parker <nparker@chromium.org>
Date: Sat Sep 09 00:38:24 2017

Add download pings for types .xht, .xhtm, .xhtml

Bug:  762702 
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I409b9bb54a7987a3c19f44cb45de00da05abd4a2
Reviewed-on: https://chromium-review.googlesource.com/658119
Commit-Queue: Varun Khaneja <vakh@chromium.org>
Reviewed-by: Steven Holte <holte@chromium.org>
Reviewed-by: Varun Khaneja <vakh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#500763}
[modify] https://crrev.com/b831645dfbabd332f47a782bdb47bf3cc10d830a/chrome/browser/resources/safe_browsing/download_file_types.asciipb
[modify] https://crrev.com/b831645dfbabd332f47a782bdb47bf3cc10d830a/tools/metrics/histograms/enums.xml

thank you for your reply. it also works with the following extensions:

dynamic html:   .dhtml , .dhtm , .dht

SSI html:  .shtml , .shtm , .sht

so these should get a Full Ping, too.
just wondering if this issue is still being looked at

im attaching the other files
alert test.shtml
110 bytes Download
alert test.shtm
110 bytes Download
alert test.sht
110 bytes Download
alert test.dhtml
110 bytes Download
alert test.dhtm
110 bytes Download
alert test.dht
110 bytes Download
Status: Started (was: Assigned)
For the list in #4:
 * Linux: They all open in Chrome.
 * Win 10: Only the .shtml is openable

We should send a ping for all of them then.
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 27 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8add59a69da35f2cc0c3585fa44cac696a3d003c

commit 8add59a69da35f2cc0c3585fa44cac696a3d003c
Author: Nathan Parker <nparker@chromium.org>
Date: Fri Oct 27 23:07:31 2017

Add a number of new download_file_types, and some enums we were missing.

Add btapp, btbtskin, btkey, btinstasll, btsearch,
    dhtml, dhtm, dht, shtml, shtm, sht, vdx, vsx,
    vtx, vsdx, vssx, vstx, vsdm, vssm, vstm.

Fix up enums that weren't correct before, an remove some platform_settings
that are set to the defaults anyway.

Bug:  771469 ,  767502 ,  762702 
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I4114c35e3f1a56a067f9b61bb54bfe3a8a801531
Reviewed-on: https://chromium-review.googlesource.com/736161
Commit-Queue: Nathan Parker <nparker@chromium.org>
Reviewed-by: Luke Z <lpz@chromium.org>
Reviewed-by: Varun Khaneja <vakh@chromium.org>
Reviewed-by: David Trainor <dtrainor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#512338}
[modify] https://crrev.com/8add59a69da35f2cc0c3585fa44cac696a3d003c/chrome/browser/resources/safe_browsing/download_file_types.asciipb
[modify] https://crrev.com/8add59a69da35f2cc0c3585fa44cac696a3d003c/content/browser/download/download_stats.cc
[modify] https://crrev.com/8add59a69da35f2cc0c3585fa44cac696a3d003c/tools/metrics/histograms/enums.xml

Status: Fixed (was: Started)
Pushed via component update.
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 2 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 11 by sheriffbot@chromium.org, Feb 8 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment