New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Closed: Aug 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Prevent silent truncation of trailing characters in downloaded file names
Reported by sirdarck...@gmail.com, Jul 22 2011 Back to list
VULNERABILITY DETAILS
The attached file won't prompt you the typical "this file can potentially damage your computer"

VERSION
Chrome Version: 14.0.825.0 dev-m
Operating System: Windows 7 - also works on windows xp

REPRODUCTION CASE
click the attached file

see bug/5067277 credit/reward should be given to marc.novak@gmail.com
 
meh.exe 
8 bytes View Download
to fix this I would suggest do as Firefox or as IE, which will encode or save the file with the char.
Comment 2 by jsc...@chromium.org, Jul 24 2011
Status: WontFix
Many file types are not prompted on download based on a few heuristics (user gesture, visited the site before today, etc.). 
Labels: -Restrict-View-SecurityTeam -Area-Undefined
You are right.

http://0x.lv/xss.php?frame_xss=http://commondatastorage.googleapis.com/sirdarckcat/work/meh.exe%25C2%25A0

Greetings!!
Comment 4 by jsc...@chromium.org, Jul 26 2011
Labels: SecSeverity-Low
Owner: kenrb@chromium.org
Status: Assigned
The thing here is that CreateFile always truncates any trailing whitespace and period characters. In the scenario described it's not a security issue, but we really should account for that when we canonicalize the filename on Windows. I'm not sure where that code is, so this should be a fun starter bug for Ken.
Comment 5 by jsc...@chromium.org, Jul 27 2011
Labels: -Pri-0 Pri-3 Restrict-View-SecurityTeam
Comment 6 by kenrb@chromium.org, Jul 29 2011
Status: WontFix
The bug does not reproduce on beta, canary, or trunk. Visiting the link in comment 3 with an empty user data directory gives the harmful download prompt.
Comment 7 by adammein@google.com, Aug 11 2011
hey Ken. The dialog prompt is expected on that link. 

I believe the issue is: if something like meh.exe%25C2%25A0 will be downloaded from Gmail, it won't prompt (due to various heuristics), but will be saved as meh.exe (trailing characters stripped). 

So we have the situation where Gmail allows the sending of attachment (since it's not a banned file), and Chrome happily downloads and converts it to an unsafe fie type without prompt.
Comment 8 by kenrb@chromium.org, Aug 11 2011
Adam, this bug was focused on where trailing characters might be stripped, potentially confusing the heuristic. With the Gmail case, is the behavior any different downloading meh.exe%25C2%25A0 compared to downloading meh.exe?
Comment 9 by jsc...@chromium.org, Aug 11 2011
Labels: OS-Windows
Status: Assigned
Summary: Prevent silent truncation of trailing characters in downloaded file names (was: NULL)
Reopening. This was closed due to some confusion on what the actual bug was. Just to clarify, we need to fix the downloaded file canonicalization on Windows so it doesn't strip trailing whitespace and period characters.
Cc: rdsmith@chromium.org
Labels: Mstone-14 Area-Internals Feature-Downloads
Cc: adammein@google.com
Comment 12 by kenrb@chromium.org, Aug 18 2011
Cc: eroman@chromium.org
Cc: asanka@chromium.org
Adding Asanka to the cc line; he's working in the filename determination area within downloads.  Asanka, is the work you're doing relevant to this CL?

#9: We are stripping trailing whitespace and periods because of issues like this:

  http://support.microsoft.com/kb/115827

Or are you suggesting that we encode trailing whitespace and periods instead of stripping them?

Comment 16 by kenrb@chromium.org, Aug 19 2011
The patch I have written (and is awaiting code review) still strips those characters, but is now replacing them with hyphens to prevent obfuscation of .exe extensions.

I discussed the possibility of encoding them with jschuh, but we opted for hyphens because it is simpler and is consistent with existing treatment of illegal filename characters.
Sounds good.

Though you'll run into conflicts with http://codereview.chromium.org/7607013/.

Comment 18 by kenrb@chromium.org, Aug 22 2011
Jschuh: The try not results look okay to me, are you okay to commit this cl?
Comment 19 by Deleted ...@, Aug 22 2011
I should not be getting these emails. 
Cc: -a deleted user
Project Member Comment 21 by bugdroid1@chromium.org, Aug 25 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=98148

------------------------------------------------------------------------
r98148 | kenrb@chromium.org | Wed Aug 24 16:58:19 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util.cc?r1=98148&r2=98147&pathrev=98148
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util_unittest.cc?r1=98148&r2=98147&pathrev=98148

Replace whitespace at beginning and end of file with hyphens, rather than silently discarding.

BUG= 90217 
TEST=all


Review URL: http://codereview.chromium.org/7647014
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam -Mstone-14 Restrict-View-SecurityNotify Mstone-15
Status: FixUnreleased
I think this is now fixed, Ken? Please re-open it if I've marked it as fixed in error :)
Labels: SecImpacts-Stable
Batch update.
Cc: marc.no...@gmail.com
@marc.novak: we'll credit you for this in our Chrome 15 release notes. Let me know if that's not ok, or if there's some particular credit line you'd prefer.
@scarybeasts : Thanks for the message, a credit would be great! Can you use
"Marc Novak" as the credit line. If there's hyperlink option on the credit
line, please use http://uk.linkedin.com/pub/marc-novak/2a/732/abb

Good work guys and thanks :)

p.s was the associated Gmail vulnerability reported under my correct email
address? I noticed that incorrect one was originally used on this thread.
Labels: CVE-2011-3876
Comment 27 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 28 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 29 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -SecSeverity-Low -Mstone-15 -Area-Internals -Feature-Downloads -SecImpacts-Stable Security-Severity-Low Cr-Internals Security-Impact-Stable M-15 Type-Bug-Security Cr-UI-Browser-Downloads
Project Member Comment 30 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 31 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 33 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Low Security_Severity-Low
Project Member Comment 34 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 35 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 36 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment