commit | 2a02a69e3173a85fc6ae4f39c7aec28b2ea0da54 | [log] [tgz] |
---|---|---|
author | Peter Boström <pbos@chromium.org> | Thu Feb 22 22:25:46 2018 |
committer | Commit Bot <commit-bot@chromium.org> | Thu Feb 22 22:25:46 2018 |
tree | f0c5df1a2024928c12e762414094ed871f959ca5 | |
parent | 75077638cdb3d2b098ccf5f649ec33b1c98aa8fd [diff] |
Add modal confirmation dialog to folder upload Before this change <input webkitdirectory/> contains a severe security hole as tricking the user to hold ENTER is sufficient to share a large swath of their filesystem (for Windows this is usually Desktop). The exploit works as follows: 1. A site tricks the user into holding ENTER (this is trivial). 2. While detecting that the user is holding ENTER, trigger a hidden <input webkitdirectory/> field (input.click()). 3. The folder picker is shown but accepted instantly, which gives the site read access to whatever happens to be selected. On my Windows machine I've observed this to be the Desktop, but I've seen other selections as well (maybe the user folder). To prevent sharing files without the user's consent this change introduces a modal interstitial that: 1. Tells the user what's about to be shared (N files, from directory X). 2. Advises the user only to do this for sites they trust. 3. Defaults to Cancel so that the example gesture laundering does not work. This method has a couple of benefits. It provides additional information to the user which might accidentally have selected the wrong folder and is about to upload more files than intended. It doesn't rely on OS-specific behavior, so it provides level protection everywhere. It also has a lower maintenance cost as it doesn't need to be added for new platforms or updates to existing OS APIs. There's opportunity for better laundering protection (such as preventing the dialog from being accepted too quickly), but the attack surface is significantly smaller with this mitigation implemented. According to usage counters <input webkitdirectory/> is used for <0.001% of page loads (below the consideration-for-deprecation threshold), which makes the interruption fairly low while providing significant additional protection against a malicious attacker. Bug: chromium:637098 Change-Id: I8ac43f8a61cd4476f581b9e57b07cdf88e28f85c Reviewed-on: https://chromium-review.googlesource.com/929809 Reviewed-by: Scott Violet <sky@chromium.org> Commit-Queue: Peter Boström <pbos@chromium.org> Cr-Commit-Position: refs/heads/master@{#538590}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .