My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
  Advanced search   Search tips   Subscriptions
Issue 21238: security: Content-Type: application/rss+xml being rendered as active content
1 person starred this issue and may be notified of changes. Back to list
Status:  Fixed
Closed:  Sep 2009

  • Only users with EditIssue permission may comment.

Sign in to add a comment
Reported by, Sep 7, 2009
security@ received the following report that seems to be a duplicate of
b/1004726. It was also tested in and 2.x:

Hi Google Security Team,

Version Tested: Google Chrome v3.0.195.10

Vulnerability: Google Chrome's inbuilt RSS/ATOM Reader renders untrusted
javascript content in an RSS/ATOM feed.

Exploit Scenarios:

1.       Attacker can social engineer a user to visit a rss/atom feed
Malicious javascript gets executed in the user's browser. It is not
of feeds to execute untrusted content.

2.       Attacker can upload a .rss/.atom/file with .rss(or .atom) in
name(with arbitrary extension) on a trusted site. The trusted site might
allow the upload thinking that it is not one of the executable file
(like .html,.php,.asp) and hence won't get rendered in the browser[Chrome
does not execute untrusted file types, e.g. try clicking]. On the
if a user clicks on this link while being authenticated to this trusted
site, the malicious javascript does get executed in the context of trusted
site and user's credentials can get stolen.

Proof of Concept: [Any
arbitary file extension]

Suggested Fix: Don't render any javascript content of an RSS feed.

Opera 10 is vulnerable to the same issue. Microsoft IE7, IE8, Firefox 3.5
and Safari 4 are not vulnerable to this exploit.

I am planning to disclose this vulnerability on my blog in another 15 days
(September 23) and hope you can fix it by then.  I believe in responsible
disclosure and want to protect your users from potentially getting
exploited. Please feel free to contact me if you have any questions.

Thanks and Regards,


Security Researcher <>
Sep 7, 2009
Patch for trunk:
Status: Started
Labels: -Pri-0 -Area-Misc Pri-1 Area-BrowserBackend
Sep 7, 2009
Setting mstone3 and cc'ing laforge to make sure we include this in 3.0.
Labels: Mstone-3
Sep 7, 2009
(No comment was entered for this change.)
Labels: Security-Medium
Sep 7, 2009
(No comment was entered for this change.)
Status: FixUnreleased
Sep 8, 2009
The following revision refers to this bug: 

r25657 | | 2009-09-08 13:48:59 -0700 (Tue, 08 Sep 2009) | 11 lines
Changed paths:

Merge 25608 - Refuse to render RSS as XML by treating the response as text/plain.  This is
somewhat unfortunate, but we need to do this until we have a builtin feed


Review URL:
Review URL:

Sep 14, 2009
How should we credit the researcher?  as Inferno?
Oct 22, 2009
Removing view restriction; long since fixed...
Labels: -Restrict-View-SecurityTeam SecSeverity-Medium
Oct 22, 2009
(No comment was entered for this change.)
Status: Fixed
Dec 18, 2009
(No comment was entered for this change.)
Labels: -Area-BrowserBackend Area-Internals
Mar 21, 2011
(No comment was entered for this change.)
Labels: Type-Security
Oct 5, 2011
Batch update: assuming these security changes impacted stable based on some fuzzy filtering.
Labels: SecImpacts-Stable
Oct 13, 2012
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
(No comment was entered for this change.)
Labels: -SecSeverity-Medium -Mstone-3 -Area-Internals -Type-Security -SecImpacts-Stable M-3 Cr-Internals Security-Severity-Medium Security-Impact-Stable Type-Bug-Security
Mar 13, 2013
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Mar 21, 2013
(No comment was entered for this change.)
Labels: -Security-Severity-Medium Security_Severity-Medium
Sign in to add a comment

Powered by Google Project Hosting