Firefox and the `you have chosen to open ...' dialogue
Martin Pitt
martin.pitt at ubuntu.com
Fri Mar 3 07:17:32 GMT 2006
Hi!
Aigars Mahinovs [2006-02-24 23:29 +0200]:
> > Secondly, and this will form the bulk of the issues dealt with in this
> > mail, it has been suggested that there are security problems with
> > removing this dialogue.
>
> While I can see the potential security problems of opening files,
> currently it is not the concern people have when making decision
> whether to open a link in an application or to save it.
I think that's too simple. People should also be able to expect what
happens if they click a link, which they can't any more now. Look for
example at
http://www.ubuntu.com/usn/usn-248-1
This was a security flaw in unzip, which was quite harmless on its
own: you could execute arbitrary code with extraordinarily long,
specially crafted file names. Few people who are is reasonably familiar
with computers would click on a link like this:
http://foo.com/foAAAAAAAAAAAAAAAAAAAAAAAAAA[4000 more A]%34%85%03%01%Fo.zip
It looks too suspicious (imagine a 4 KB URL), and few people would
attempt to put this into a fishing email. Now, but guess how many
people would click on
http://foo.com/news.html
The problem is that this html page could easily set a http forward or
a small javascript snippet to point to the above URL. Clicking on html
and suddenly get OpenOffice or file-roller opened? That's totally not
expected, and even dangerous in the time of known, but unfixed
vulnerabilities (e. g. we are one of the only few distros which
actually fixed this unzip vuln, most of them considered it too
unimportant).
So, while Ian is right that this was actually a vulnerability in
unzip, it greatly increases the danger of it. It always takes a
certain amount of time until vulnerabilities can be fixed, and in that
time, users would be hopelessly defenceless. You can't even say to
them "don't open untrusted zip files". Please remember the recent WMF
exploit in Windows. When Linux becomes more widespread, it will face
similar attacks.
So, my pleas:
* We should be safe by default. Whenever an user encounters a new
file type, he should at least be aware that this opens a new
application; also, he can choose the particular app he wants to
open the file with, or just download it. The same dialog also
offers to 'always perform this action', so if you are annoyed by
the dialog, it is dead easy to get the effect of no dialog in the
future, but *only* for this particular file type.
* If we really have to keep this feature (I strongly think we
shouldn't), then it is incredibly important that it is robustly
restricted to URLs which the user requested directly with a click
or by entering in the URL line. It is a grave bug to do the same on
automatically visited URLs. Second, it is important to allow to
switch off this auto-opening in an easy and obvious way.
Thanks for considering,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20060303/c005537f/attachment.pgp
More information about the ubuntu-devel
mailing list