[hackerone] webkitRelativePath may expose OS username

[diracdeltas]

https://hackerone.com/reports/258585

It appears that webkitRelativePath in Brave may expose the username, whereas in Chrome it doesn't. I'm not 100% sure it won't also expose the OS username in Chrome if the home folder itself is your default file picker location. However, it is weird that Brave shows the parent folder of the selected folder + selected folder, whereas Chrome shows selected folder + filename of first file. demo: https://dev.ruby.sh/brave/trap.html

STR:

1. copy this to a local html file:

<h3 id="qmsg"></h3>
<input id="thing" type="file" webkitdirectory mozdirectory  />
<script>
    thing.onchange = function() {
       qmsg.innerHTML = thing.files[0].webkitRelativePath;
    }
</script>

2. start a local webserver and open the file above
3. click the 'choose files' button. select the same folder in both Chrome and Brave
4. notice that the result is different in Chrome and Brave

[diracdeltas]

more background: http://leucosite.com/Chrome-Firefox-Edge-Local-File-Disclosure/

[diracdeltas]

This should be addressed by brave/muon#242 but we should check the PoC to make sure

[kjozwiak]

Verified on macOS 10.13.4 x64 using the following build:

• 0.23.11 6565c06
• muon: 7.1.0
• libchromiumcontent: 67.0.3396.87

Verified on Windows 10 x64 using

• 0.23.11 - 6565c06
• Muon - 7.1.0
• libchromiumcontent - 67.0.3396.87

Verified on Ubuntu 17.10 x64

• 0.23.12 - 88f6f07
• Muon - 7.1.1
• libchromiumcontent - 67.0.3396.87

[kjozwiak]

@diracdeltas I managed to reproduce this with 0.18.34 so I can see the original issue. However, it seems like the issue has already been fixed under 0.22.810 8f30eeb which is the latest released version. I also tried with 0.23.11 6565c06 and get the following when uploading a folder:

• Downloads/Brave-Beta-0.23.11.dmg (no username disclosure)

Will this particular fix cause any issue as the original bug already seems to be fixed under 0.22.810 8f30eeb?