[Webkit-unassigned] [Bug 30382] New: WebKit might need to recognize the "filename" param, then FrameLoader::loadPlugin can check value of filename for SecurityOrigin policy

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 15 03:45:14 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=30382

           Summary: WebKit might need to recognize the "filename" param,
                    then FrameLoader::loadPlugin can check value of
                    filename for SecurityOrigin policy
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Plug-ins
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: johnnyding.webkit at gmail.com
                CC: eric at webkit.org, hanrui.gao at gmail.com,
                    hongxu at google.com


Please take a look at the following HTML snippet.

<html>
<body>
<object id="wmp" classid="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701"
width="380" height="68">
<param name="filename" value="file:///C:/Windows/Media/notify.wav"></object>
</body></html>

In above code, the plugin wmp loads the local media file
"/C:/Windows/Media/notify.wav" specified by "filename" PARAM.
When I put the HTML file in a web server, IE, Safari & Chrome can load the file
by using HTTP protocol to play the local file "notify.wav" on my machine (You
must have the notify.wav on the path "/C:/Windows/Media/" of your machine to
play the HTML file)

My question is now WebKit calls SecurityOrigin::canLoad to check the URL of
plugin on FrameLoader::loadPlugin for security concerns. The URL is from one of
following param (Please refer RenderPartObject::updateWidget)
src
movie
code
url
So now the "filename" now can not be recognized by WebKit. According to this
MSDN article: http://msdn.microsoft.com/en-us/library/dd563990(VS.85).aspx, the
"filename" and "src" PARAM elements are supported by the Firefox plug-in, but
not by Internet Explorer. They both perform the same function as the "url"
PARAM element. (When replacing "filename" with "url", Safari & Chrome will
disallow playing the local file when loading the HTML file by HTTP protocol.)

Since now Webkit can not recognize the "filename" PARAM, the value (it is URL)
of "filename" will not be checked for SecurityOrigin policy, which cause a HTML
file on internet may play user local file (If the HTML can guess the right path
of the file).

I suggest to handle "filename" in RenderPartObject::updateWidget. Any comments?

I know there are too many PARAMs, each of them can carry URL value, so only
checking few known PARAMs, such as "url", "src", may not be good enough. One
idea coming from my mind is we check value of each PARAM to check whether it is
a URL or not, if there are more than one URLs, check each of them for
SecurityOrigin policy.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list