Your message dated Fri, 19 Apr 2013 03:07:44 +0200
with message-id <[email protected]>
and subject line Re: Bug#303246: Selecting text of a link downloads the link
has caused the Debian Bug report #303246,
regarding mozilla-firefox: Selecting text of a link downloads the link
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
303246: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=303246
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mozilla-tabextensions
Version: 1.14.2005032801-1
Severity: important
(Possible security problem, see below.)
When I select text that belongs to a link (while pressing the mod1
key), the selection is performed, but the link is also downloaded
as soon as I release the mouse button, as if I clicked on the link
(with the key pressed).
When I was using Mozilla, this bug occurred when the link had a
target="_blank" attribute (in other cases, not always). Now I'm
using Firefox, and this bug always occurs.
Note that other users of the machine may be able to access the
downloaded information (depending on the user choices), though
a download has never been requested. This is a security problem
if the link contains private or confidential information.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-20050318
Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)
Versions of packages mozilla-tabextensions depends on:
ii mozilla-browser 2:1.7.6-1 The Mozilla Internet application s
ii mozilla-firefox 1.0.2-2 lightweight web browser based on M
-- no debconf information
--- End Message ---
--- Begin Message ---
Control: notforwarded -1
Control: tags -1 = unreproducible
On 2006-04-08 02:58:21 +0200, Javier Serrano Polo wrote:
> I think solving this bug as suggested by
> https://bugzilla.mozilla.org/show_bug.cgi?id=254707 (disable link
> dragging by default) could pose a security issue, see attachment for a
> simple attack.
Actually the bug I was seeing was rather different from what is
described in bug 254707. Hence -> notforwarded.
I recall that I wasn't seeing link dragging. Text was selected as
expected, but in addition to that, and this was the bug, the link
was downloaded.
I can no longer reproduce this: with Alt + drag, text is selected
and the link is *not* downloaded. Thus I'm closing the bug.
Note: The behavior about link dragging has also changed. In the past,
pressing the mod1 key was sufficient to disable link dragging and
select text. Now, the key has to be the Alt key, i.e. if Meta is used
for mod1, it won't work. It is a bad idea to hard-code the key, but
it seems that using Alt instead of Meta for mod1 has no drawbacks
with current applications (this was not the case in the past).
Also the security issue is still there in this form or another, but
that's now hardly avoidable without disabling JavaScript anyway. It
seems that some sites use this kind of trick to display adverts in
a new window when the user clicks anywhere on the page. This more
or less defeats popup blocking.
--
Vincent Lefèvre <[email protected]> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
--- End Message ---
