30382 – WebKit should disallow a plug which is in a HTTP page to access local file.

Bug 30382 - WebKit should disallow a plug which is in a HTTP page to access local file.

Summary: WebKit should disallow a plug which is in a HTTP page to access local file.

Status:	RESOLVED WONTFIX

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Plug-ins (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC OS X 10.5

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-10-15 03:45 PDT by johnnyding
Modified:	2022-06-23 19:43 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description johnnyding 2009-10-15 03:45:13 PDT

Please take a look at the following HTML snippet.

<html>
<body>
<object id="wmp" classid="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95" codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701" width="380" height="68">
<param name="filename" value="file:///C:/Windows/Media/notify.wav"></object>
</body></html>

In above code, the plugin wmp loads the local media file "/C:/Windows/Media/notify.wav" specified by "filename" PARAM.
When I put the HTML file in a web server, IE, Safari & Chrome can load the file by using HTTP protocol to play the local file "notify.wav" on my machine (You must have the notify.wav on the path "/C:/Windows/Media/" of your machine to play the HTML file)

My question is now WebKit calls SecurityOrigin::canLoad to check the URL of plugin on FrameLoader::loadPlugin for security concerns. The URL is from one of following param (Please refer RenderPartObject::updateWidget)
src
movie
code
url
So now the "filename" now can not be recognized by WebKit. According to this MSDN article: http://msdn.microsoft.com/en-us/library/dd563990(VS.85).aspx, the "filename" and "src" PARAM elements are supported by the Firefox plug-in, but not by Internet Explorer. They both perform the same function as the "url" PARAM element. (When replacing "filename" with "url", Safari & Chrome will disallow playing the local file when loading the HTML file by HTTP protocol.)

Since now Webkit can not recognize the "filename" PARAM, the value (it is URL) of "filename" will not be checked for SecurityOrigin policy, which cause a HTML file on internet may play user local file (If the HTML can guess the right path of the file).

I suggest to handle "filename" in RenderPartObject::updateWidget. Any comments?

I know there are too many PARAMs, each of them can carry URL value, so only checking few known PARAMs, such as "url", "src", may not be good enough. One idea coming from my mind is we check value of each PARAM to check whether it is a URL or not, if there are more than one URLs, check each of them for SecurityOrigin policy.

Comment 1 Ahmad Saleem 2022-06-23 12:47:35 PDT

NPAPI and Webkit Plugins are not supported any more. Can this be marked as "RESOLVED WONTFIX"? Thanks!