Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

[hackerone] download attribute allows downloading local files #10644

Closed
diracdeltas opened this issue Aug 23, 2017 · 1 comment · May be fixed by brave/muon#289
Closed

[hackerone] download attribute allows downloading local files #10644

diracdeltas opened this issue Aug 23, 2017 · 1 comment · May be fixed by brave/muon#289
Assignees
@diracdeltas
Labels
fixed-with-brave-core This issue will automatically resolved with the replacement of Muon with Brave Core. priority/P4 Minor loss of function. Workaround usually present. security wontfix

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Aug 23, 2017
edited
Loading

from https://hackerone.com/reports/258710:

"The attribute download in a a tag allows for download the href target to file and saving it locally.
In mozilla and chrome, it is forbidden to download local file via file:// .., in Brave however this is not enforced and it is not clear to the user if they are downloading something remote or local. This could be abused to social engineering and phishing that is hard to spot without reviewing the js code."

Create a <a href="files:///etc///passwd" download>Download local file</a>
On a linux machine, click the link, download the file, open it. It's the local file.

Expected result file:// not allowd
Result file downloaded

I don't see much of a security risk here, but the same behavior is not possible in Chrome.

PoC: https://jsfiddle.net/zm2jfovs/ (try clicking the download link in Chrome vs Brave)
@gnanasekar-somanathan
Copy link

In chrome browser the file download is blocked here.
https://cs.chromium.org/chromium/src/content/browser/child_process_security_policy_impl.cc?gsn=CanRequestURL&l=226
it returns false here and hence its blocked

@diracdeltas diracdeltas added this to the 0.22.x milestone Aug 25, 2017
Open
@diracdeltas diracdeltas mentioned this issue Sep 2, 2017
Closed
@bbondy bbondy modified the milestones: 0.22.x (Nightly Channel), Backlog Oct 25, 2017
@diracdeltas diracdeltas self-assigned this Oct 27, 2017
@diracdeltas diracdeltas added the priority/P4 Minor loss of function. Workaround usually present. label Oct 27, 2017
@bbondy bbondy modified the milestones: Triage Backlog, Prioritized Backlog Nov 2, 2017
@bsclifton bsclifton modified the milestones: Backlog (Prioritized), Completed work Feb 28, 2018
@bsclifton bsclifton removed this from the Completed work milestone Sep 10, 2018
@jumde jumde added the fixed-with-brave-core This issue will automatically resolved with the replacement of Muon with Brave Core. label Sep 18, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@diracdeltas diracdeltas

Labels
fixed-with-brave-core This issue will automatically resolved with the replacement of Muon with Brave Core. priority/P4 Minor loss of function. Workaround usually present. security wontfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Chromium ContentBrowserclient Embedder api IsHandledUrl was not impl… gnanasekar-somanathan/muon
6 participants
@diracdeltas @bbondy @jumde @luixxiul @bsclifton @gnanasekar-somanathan