New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Prevent silent truncation of trailing characters in downloaded file names

Reported by sirdarck...@gmail.com, Jul 22 2011

Issue description

VULNERABILITY DETAILS
The attached file won't prompt you the typical "this file can potentially damage your computer"

VERSION
Chrome Version: 14.0.825.0 dev-m
Operating System: Windows 7 - also works on windows xp

REPRODUCTION CASE
click the attached file

see bug/5067277 credit/reward should be given to marc.novak@gmail.com
 
meh.exe 
8 bytes View Download
to fix this I would suggest do as Firefox or as IE, which will encode or save the file with the char.

Comment 2 by jsc...@chromium.org, Jul 24 2011

Status: WontFix
Many file types are not prompted on download based on a few heuristics (user gesture, visited the site before today, etc.). 
Labels: -Restrict-View-SecurityTeam -Area-Undefined
You are right.

http://0x.lv/xss.php?frame_xss=http://commondatastorage.googleapis.com/sirdarckcat/work/meh.exe%25C2%25A0

Greetings!!

Comment 4 by jsc...@chromium.org, Jul 26 2011

Labels: SecSeverity-Low
Owner: kenrb@chromium.org
Status: Assigned
The thing here is that CreateFile always truncates any trailing whitespace and period characters. In the scenario described it's not a security issue, but we really should account for that when we canonicalize the filename on Windows. I'm not sure where that code is, so this should be a fun starter bug for Ken.

Comment 5 by jsc...@chromium.org, Jul 27 2011

Labels: -Pri-0 Pri-3 Restrict-View-SecurityTeam

Comment 6 by kenrb@chromium.org, Jul 29 2011

Status: WontFix
The bug does not reproduce on beta, canary, or trunk. Visiting the link in comment 3 with an empty user data directory gives the harmful download prompt.

Comment 7 by adammein@google.com, Aug 11 2011

hey Ken. The dialog prompt is expected on that link. 

I believe the issue is: if something like meh.exe%25C2%25A0 will be downloaded from Gmail, it won't prompt (due to various heuristics), but will be saved as meh.exe (trailing characters stripped). 

So we have the situation where Gmail allows the sending of attachment (since it's not a banned file), and Chrome happily downloads and converts it to an unsafe fie type without prompt.

Comment 8 by kenrb@chromium.org, Aug 11 2011

Adam, this bug was focused on where trailing characters might be stripped, potentially confusing the heuristic. With the Gmail case, is the behavior any different downloading meh.exe%25C2%25A0 compared to downloading meh.exe?

Comment 9 by jsc...@chromium.org, Aug 11 2011

Labels: OS-Windows
Status: Assigned
Summary: Prevent silent truncation of trailing characters in downloaded file names
Reopening. This was closed due to some confusion on what the actual bug was. Just to clarify, we need to fix the downloaded file canonicalization on Windows so it doesn't strip trailing whitespace and period characters.
Cc: rdsmith@chromium.org
Labels: Mstone-14 Area-Internals Feature-Downloads
Cc: adammein@google.com

Comment 12 by kenrb@chromium.org, Aug 18 2011

Cc: eroman@chromium.org
Cc: asanka@chromium.org
Adding Asanka to the cc line; he's working in the filename determination area within downloads.  Asanka, is the work you're doing relevant to this CL?

#9: We are stripping trailing whitespace and periods because of issues like this:

  http://support.microsoft.com/kb/115827

Or are you suggesting that we encode trailing whitespace and periods instead of stripping them?

Comment 16 by kenrb@chromium.org, Aug 19 2011

The patch I have written (and is awaiting code review) still strips those characters, but is now replacing them with hyphens to prevent obfuscation of .exe extensions.

I discussed the possibility of encoding them with jschuh, but we opted for hyphens because it is simpler and is consistent with existing treatment of illegal filename characters.
Sounds good.

Though you'll run into conflicts with http://codereview.chromium.org/7607013/.

Comment 18 by kenrb@chromium.org, Aug 22 2011

Jschuh: The try not results look okay to me, are you okay to commit this cl?

Comment 19 by Deleted ...@, Aug 22 2011

I should not be getting these emails. 
Cc: -a deleted user
Project Member

Comment 21 by bugdroid1@chromium.org, Aug 25 2011

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=98148

------------------------------------------------------------------------
r98148 | kenrb@chromium.org | Wed Aug 24 16:58:19 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util.cc?r1=98148&r2=98147&pathrev=98148
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util_unittest.cc?r1=98148&r2=98147&pathrev=98148

Replace whitespace at beginning and end of file with hyphens, rather than silently discarding.

BUG= 90217 
TEST=all


Review URL: http://codereview.chromium.org/7647014
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam -Mstone-14 Restrict-View-SecurityNotify Mstone-15
Status: FixUnreleased
I think this is now fixed, Ken? Please re-open it if I've marked it as fixed in error :)
Labels: SecImpacts-Stable
Batch update.
Cc: marc.no...@gmail.com
@marc.novak: we'll credit you for this in our Chrome 15 release notes. Let me know if that's not ok, or if there's some particular credit line you'd prefer.
@scarybeasts : Thanks for the message, a credit would be great! Can you use
"Marc Novak" as the credit line. If there's hyperlink option on the credit
line, please use http://uk.linkedin.com/pub/marc-novak/2a/732/abb

Good work guys and thanks :)

p.s was the associated Gmail vulnerability reported under my correct email
address? I noticed that incorrect one was originally used on this thread.
Labels: CVE-2011-3876

Comment 27 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 28 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 29 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -SecSeverity-Low -Mstone-15 -Area-Internals -Feature-Downloads -SecImpacts-Stable Security-Severity-Low Cr-Internals Security-Impact-Stable M-15 Type-Bug-Security Cr-UI-Browser-Downloads
Project Member

Comment 30 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 31 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 33 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 34 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 35 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 36 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment