[Webkit-unassigned] [Bug 15874] New: Filenames in Content-Disposition header are interpreted insecurely

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 6 21:57:25 PST 2007


           Summary: Filenames in Content-Disposition header are interpreted
           Product: WebKit
           Version: 523.x (Safari 3)
          Platform: Macintosh
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: sharding at dogcow.org

WebKit in Safari 3 interprets the "filename" parameter of Content-Distribution
headers in HTTP responses incorrectly, opening a potential security
vulnerability. It retains paths given in the filename header, allowing writing
downloaded files to any directory on the system to which the user has write
permission without any confirmation from the user. Example problem header:

Content-Disposition: attachment; filename=../../../../../../../../hi-there

This is diffused somewhat by the fact that Safari appends "-[number]" to the
name, and it apparently will not overwrite an existing file. However, it's
quite conceivable that this could still result in a serious security
vulnerability. Files downloads should be restricted to the configured download
folder (and potentially subfolders thereof).

>From RFC 2183:

  "It is important that the receiving MUA not blindly use the suggested
   filename.  The suggested filename SHOULD be checked (and possibly
   changed) to see that it conforms to local filesystem conventions,
   does not overwrite an existing file, and does not present a security
   problem (see Security Considerations below).

   The receiving MUA SHOULD NOT respect any directory path information
   that may seem to be present in the filename parameter.  The filename
   should be treated as a terminal component only.  Portable
   specification of directory paths might possibly be done in the future
   via a separate Content-Disposition parameter, but no provision is
   made for it in this draft."

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list