PDF Plugin Security Issue?

[Matthew Chin]

Hello,

I am currently using the PDF plugin and came across a potential security issue. Not sure if it has been raised before.

I am using a CMS application so that I can upload and store pdfs. The pdfs have specific permissions set.

Issue:
1. Log in as an admin user to view abc.pdf through chrome pfd plugin
2. Confirm I can see abc.pdf through chrome pdf plugin (do not close browser)
3. Log out
4. Log in as Regular User who should be be able to see document
Result:
I can still see abc.pdf which should only be accessible by the Admin user

Only way for this not to occur is to clear my browser cache. Bug or not?

[PhistucK]

Generally, it seems like a badly configured server that sends inappropriate HTTP headers for caching. If you send the right headers, it will not be cached.

If you disable the PDF Viewer plugin (go to chrome://plugins and disable it from there), does it redownload it (from cache, I guess)?

Does it only happen in Chrome (which, I guess, means - do other browsers not download it)?

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[Matthew Chin]

Thanks for your reply. I have confirmed that if I disable chrome's pdf viewer plugin, the the pdf is no longer accessible by the user without the correct view permission.

[PhistucK]

You can search crbug.com for an existing issue and star it. If you cannot find one, file a new issue using the "New issue" link on the same page.

Please, do not add a "+1" or "Me too" or "Confirmed" (or similar) comment. It just wastes the time of Chrome engineers and sends unnecessary e-mails to all of the people who starred the issue.

You can reply with a link to the found or created issue and might get triaged (and fixed) faster.

Thank you.

☆PhistucK