Firefox and the `you have chosen to open ...' dialogue

Martin Pitt martin.pitt at ubuntu.com
Fri Mar 3 07:17:32 GMT 2006


Hi!

Aigars Mahinovs [2006-02-24 23:29 +0200]:
> > Secondly, and this will form the bulk of the issues dealt with in this
> > mail, it has been suggested that there are security problems with
> > removing this dialogue.
> 
> While I can see the potential security problems of opening files,
> currently it is not the concern people have when making decision
> whether to open a link in an application or to save it.

I think that's too simple. People should also be able to expect what
happens if they click a link, which they can't any more now. Look for
example at

  http://www.ubuntu.com/usn/usn-248-1

This was a security flaw in unzip, which was quite harmless on its
own: you could execute arbitrary code with extraordinarily long,
specially crafted file names. Few people who are is reasonably familiar
with computers would click on a link like this:

  http://foo.com/foAAAAAAAAAAAAAAAAAAAAAAAAAA[4000 more A]%34%85%03%01%Fo.zip
 
It looks too suspicious (imagine a 4 KB URL), and few people would
attempt to put this into a fishing email. Now, but guess how many
people would click on

  http://foo.com/news.html

The problem is that this html page could easily set a http forward or
a small javascript snippet to point to the above URL. Clicking on html
and suddenly get OpenOffice or file-roller opened? That's totally not
expected, and  even dangerous in the time of known, but unfixed
vulnerabilities (e. g. we are one of the only few distros which
actually fixed this unzip vuln, most of them considered it too
unimportant).

So, while Ian is right that this was actually a vulnerability in
unzip, it greatly increases the danger of it. It always takes a
certain amount of time until vulnerabilities can be fixed, and in that
time, users would be hopelessly defenceless. You can't even say to
them "don't open untrusted zip files". Please remember the recent WMF
exploit in Windows. When Linux becomes more widespread, it will face
similar attacks.

So, my pleas:

 * We should be safe by default. Whenever an user encounters a new
   file type, he should at least be aware that this opens a new
   application; also, he can choose the particular app he wants to
   open the file with, or just download it. The same dialog also
   offers to 'always perform this action', so if you are annoyed by
   the dialog, it is dead easy to get the effect of no dialog in the
   future, but *only* for this particular file type.

 * If we really have to keep this feature (I strongly think we
   shouldn't), then it is incredibly important that it is robustly
   restricted to URLs which the user requested directly with a click
   or by entering in the URL line. It is a grave bug to do the same on
   automatically visited URLs. Second, it is important to allow to
   switch off this auto-opening in an easy and obvious way.

Thanks for considering,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20060303/c005537f/attachment.pgp


More information about the ubuntu-devel mailing list