File attached from some browsers discloses entire path
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Since bug 73695 was fixed, Launchpad uses a bug attachment's filename (as provided by the browser) as the attachment's description, if no other description was provided. The Launchpad Librarian also preserves the filename in the attachment's URL.
Unfortunately, some browsers provide not just the filename, but the entire path of the file (as seen for example in bug 134761):
* Internet Explorer 7 or earlier (but not 8 or later)
* Firefox 2 or earlier
* Safari (all versions up to at least 4 Developer Preview).
In addition, Opera 9.5 returns "C:\fake_path\" followed by the filename, regardless of OS and regardless of the real path.
[Sources: <http://
It's not obvious that the entire path will be disclosed. In the case of Opera this results in mererly a non-sequitur appearing in Launchpad pages. But for the other browsers it's easy to imagine one of an attached file's parent folders having a name that is embarrassing or that discloses information the commenter would rather keep private.
Perhaps we could use only that section of the browser-supplied filename that follows the last "/" or "\" character.
(The equivalent in project releases is bug 174794.)
| Diogo Matsubara (matsubara) wrote | #1 |
| Changed in malone: | |
| status: | New → Confirmed |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
This can be reproduced using IE6