Firefox and the `you have chosen to open ...' dialogue

Martin Pitt martin.pitt at ubuntu.com
Fri Mar 3 13:55:22 GMT 2006 

Hi!

Ian Jackson [2006-03-03 12:46 +0000]:
> >   http://www.ubuntu.com/usn/usn-248-1
> > 
> > This was a security flaw in unzip, which was quite harmless on its
> > own: you could execute arbitrary code with extraordinarily long,
> > specially crafted file names. Few people who are is reasonably familiar
> > with computers would click on a link like this:
> > 
> >   http://foo.com/foAAAAAAAAAAAAAAAAAAAAAAAAAA[4000 more A]%34%85%03%01%Fo.zip
> 
> This is a specific case of the general problem that Firefox is much
> too willing to preserve websites' filenames even if they are
> unreasonable or misleading (eg, wrong extension, unreasonable
> characters, etc.)

The point is that merely opening this file with file-roller would have
caused arbitrary code to be executed on your computer. I. e. you click
on a link which looks like leading to a .html page, and suddenly your
find your home directory empty, or otherwise compromised.

Likewise, this suddenly opens a huge door to trigger bugs in any
application that is registered in the Gnome MIME database *without any
user interaction*.

> > The problem is that this html page could easily set a http forward or
> > a small javascript snippet to point to the above URL. Clicking on html
> > and suddenly get OpenOffice or file-roller opened? That's totally not
> > expected, and  even dangerous in the time of known, but unfixed
> > vulnerabilities (e. g. we are one of the only few distros which
> > actually fixed this unzip vuln, most of them considered it too
> > unimportant).
> 
> Does the extra dialogue really help a non-expert user ?  Aren't they
> just going to say `yes' ?  And doesn't this train the user to always
> click `yes' so that the value of all confirmations is decreased ?

There is absolutely no help against users who always click 'yes'
without reading. You can't prevent such users from catching a trojan.

But my concern is that the change makes it impossible to defend
against trojan horses even for users who do read questions and are
aware of such issues.

> >  * If we really have to keep this feature (I strongly think we
> >    shouldn't), [...]
> 
> I would really like to have an idea of how many people find the new
> behaviour better.  This is supposed to be a useability improvement.
> If in practice it confuses and annoys people then we should revert it;
> if the benefits are marginal then reverting it because of these
> security fears seems reasonable.

I agree that the usability of the dialog can be improved (the
suggestion of showing a list of applications instead of entering a
path was a good one IMHO), but it should explicitly show the file
name, MIME type, etc.

Thank you for considering,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20060303/c173cc60/attachment.pgp

More information about the ubuntu-devel mailing list