Bug#622353: iceweasel: application/binary files are seen as Bzip archives
Vincent Lefevre
vincent at vinc17.net
Tue Apr 12 12:46:15 UTC 2011
retitle 622353 iceweasel: downloading a file from some web site can introduce incorrect data in mimeTypes.rdf
tags 622353 security
severity 622353 grave
thanks
On 2011-04-12 14:20:30 +0200, Vincent Lefevre wrote:
> Package: iceweasel
> Version: 3.5.18-1
> Severity: normal
>
> Files served as "Content-Type: application/binary" are seen as Bzip
> archives.
The problem seems to come from the mimeTypes.rdf, which contains:
<RDF:Description RDF:about="urn:mimetype:application/binary"
NC:value="application/binary"
NC:editable="true"
NC:description="Bzip archive">
<NC:handlerProp RDF:resource="urn:mimetype:handler:application/binary"/>
</RDF:Description>
If I remove any reference to application/binary from mimeTypes.rdf,
the problem no longer appears after restarting Iceweasel.
However if I download a real bzip archive with application/binary
content type, e.g.
https://gforge.inria.fr/frs/download.php/28449/mpfr-3.0.1.tar.bz2
the lines reappear in the mimeTypes.rdf file, and the problem
reappears.
Really, Iceweasel shouldn't corrupt the mimeTypes.rdf file in such
a way, that could affect other web sites. IMHO, this is a potential
security problem, as it can fool the user by giving wrong information
about the contents of a file.
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
More information about the pkg-mozilla-maintainers
mailing list