On Firefox 10.0.5 I get access to files content in the /etc directory by using "/etc/<any file>" or "file:///etc/<any file>" in the location bar. Reproducible: Always Steps to Reproduce: 1.Open Firefox 2.Type "/etc/passwd" or "file:///etc/passwd" in the location bar 3.Press enter or "Go" button Actual Results: The content of the passwd file was exposed Expected Results: Not getting access. uname -r: 3.3.8-gentoo
The access of local files via file:// is intentional and not a bug. If you want this changed, contact upstream (but I doubt that they will).
(In reply to comment #1) > The access of local files via file:// is intentional and not a bug. > > If you want this changed, contact upstream (but I doubt that they will). I understand that it is intentional. But it is wrong to provide access to system wide configuration files to users. As a user I am unable to see content of a lot of configuration files in /etc through bash then why would that be possible through Firefox? Isn't this a security threat?
(In reply to comment #2) > (In reply to comment #1) > > The access of local files via file:// is intentional and not a bug. > > > > If you want this changed, contact upstream (but I doubt that they will). > > I understand that it is intentional. But it is wrong to provide access to > system wide configuration files to users. As a user I am unable to see > content of a lot of configuration files in /etc through bash then why would > that be possible through Firefox? Isn't this a security threat? You can read exactly the same files you can as through bash.