Bug 396710 – plugin can access local files

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 396710 - plugin can access local files


Summary:	plugin can access local files


Status:	RESOLVED OBSOLETE

Product:	totem
Classification:	Core
Component:	Browser plugin (obsolete)
Version:	2.17.x
Hardware:	Other Linux

Importance:	Normal major
Target Milestone:	---
Assigned To:	totem-browser-maint
QA Contact:	totem-browser-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2007-01-15 00:55 UTC by Christian Persch
Modified:	2014-04-30 11:21 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Christian Persch 2007-01-15 00:55:07 UTC

Steps to reproduce:
0) Copy a movie file to /tmp/test.mov
1) Load http://www.gnome.org/~chpe/testcases/test-local.html

Actual results:
Local movie plays in web page.

Expected results:
Plugin must not allow remote content to play local content. This applies to both playlists and redirects.

Comment 1 Bastien Nocera 2007-01-15 01:52:45 UTC

Would it be fair to allow local file playback if the web page is loaded locally?

Comment 2 Christian Persch 2007-01-15 11:12:50 UTC

Not sure about that. You can save remote pages on disk and open them from there, should that open all your files to the remote content? That's rather like the mozilla bug about JS in saved files having access to local files (couldn't find the bug right now though)...

Comment 3 Christian Persch 2007-01-15 11:20:00 UTC

I think it's this bug I was taking about: https://bugzilla.mozilla.org/show_bug.cgi?id=230606 .

Comment 4 Bastien Nocera 2007-01-15 16:19:49 UTC

(In reply to comment #2)
> Not sure about that. You can save remote pages on disk and open them from
> there, should that open all your files to the remote content? That's rather
> like the mozilla bug about JS in saved files having access to local files
> (couldn't find the bug right now though)...

Mozilla won't be saving the playlist locally, so it would indeed be possible to have a local html page, remote playlist, and local file referenced in that case.

If you think we should also check for the playlist being a local file (originally, it's local when we use it, as it's in the cache), feel free to reopen this bug.

2007-01-15  Bastien Nocera  <hadess@hadess.net>

        * browser-plugin/totem-plugin-viewer.c: (entry_added),
        (totem_embedded_push_parser): Before adding a local file entry
        from a playlist, verify that the base uri for that playlist
        is local as well, or ignore the entry (Closes: #396710)

Comment 5 Christian Persch 2007-01-16 23:43:55 UTC

I do think that we shouldn't parse local playlists either. For example, a non-local (well, in-cache) playlist could try to reference a local playlist (recursive playlist parsing).

Also, "local" isn't just file:, there's also smb: to consider (and possibly more schemes).

Comment 6 Bastien Nocera 2014-04-30 11:21:35 UTC

The browser plugin has been removed from Totem. See this post for more details:
http://www.hadess.net/2014/04/good-bye-totem-browser-plugin.html