Closed Bug 1539758 Opened 5 years ago Closed 5 years ago

Convert consumers using inline HTML markup in browser.dtd to fluent and/or to not use inline markup

Categories

(Firefox :: General, task)

Product:
Firefox
Component:
General
Version:
67 Branch
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 68
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: Gijs, Unassigned)

References

Details

(Keywords: sec-want, Whiteboard: [needed to fix sec-high sandbox escape][post-critsmash-triage][adv-main68-])

Blocks: 1539759
Keywords: sec-want

bug 1523757 deals with the addon post install notification, at least.

Depends on: 1523757

Brian: this bug is the reason for my comment at https://phabricator.services.mozilla.com/D24914#753802 .

I think https://phabricator.services.mozilla.com/D24914 will be ready to land after review.

Is this bug limited to browser.dtd specifically, or does it mean ".dtd used by Firefox" generically? If the former we need to file another bug about the general case.

Flags: needinfo?(gijskruitbosch+bugs)

(In reply to Daniel Veditz [:dveditz] from comment #4)

Is this bug limited to browser.dtd specifically, or does it mean ".dtd used by Firefox" generically? If the former we need to file another bug about the general case.

It means any DTD used in a chrome-privileged document.

(In reply to Kris Maglione [:kmag] from comment #5)

(In reply to Daniel Veditz [:dveditz] from comment #4)

Is this bug limited to browser.dtd specifically, or does it mean ".dtd used by Firefox" generically? If the former we need to file another bug about the general case.

It means any DTD used in a chrome-privileged document.

Yeah, this. bug 1523757 will deal with some of the ones in browser.dtd, Brian's patch on bug 1495861 deals with the other ones, I think, and bug 1523741 will hopefully deal with the about telemetry ones this week.

Between those bugs, I'm hopeful that we can do this for 68. Because we're touching l10n, I'm not sure about uplifting to 67. In principle I believe we could because we have migration scripts to convert existing l10n stuff to fluent, but we'd need to check that with flod/gandalf. I doubt we can realistically uplift any of this work to 60esr, but given this is sec-want that doesn't seem too bad?

Flags: needinfo?(gijskruitbosch+bugs)

(In reply to :Gijs (he/him) from comment #6)

(In reply to Kris Maglione [:kmag] from comment #5)

(In reply to Daniel Veditz [:dveditz] from comment #4)

Is this bug limited to browser.dtd specifically, or does it mean ".dtd used by Firefox" generically? If the former we need to file another bug about the general case.

It means any DTD used in a chrome-privileged document.

Yeah, this. bug 1523757 will deal with some of the ones in browser.dtd, Brian's patch on bug 1495861 deals with the other ones, I think, and bug 1523741 will hopefully deal with the about telemetry ones this week.

To be clear, I think that's everything.

https://searchfox.org/mozilla-central/search?q=%3C%5Ba-z%5D&case=true&regexp=true&path=.dtd

has 9 hits in browser.dtd, the first 3 in comments, then 3 for the panic panel that Brian's patch deals with, then 2 more comments, then an add-on install message bug 1523757 should deal with.

We don't (shouldn't) load the network/cert/phishing error page DTDs (from any directory) in chrome privileged docs.

about:mozilla and the video controls are unprivileged.

Fixed in 68 by the various deps.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 68

IIUC, we're not intending to try to backport this work to 67 at this point, but feel free to correct me if that's wrong.

status-firefox66: --- → wontfix
status-firefox67: --- → wontfix
status-firefox68: --- → fixed
status-firefox-esr60: --- → wontfix

(In reply to Ryan VanderMeulen [:RyanVM] from comment #9)

IIUC, we're not intending to try to backport this work to 67 at this point, but feel free to correct me if that's wrong.

It's quite a large set of changes, mostly to locale strings. I don't think we could ask localizers to deal with that in an uplift. So, yeah, a backport doesn't seem likely.

but given this is sec-want that doesn't seem too bad?

keyword fail/limitation. This is a "task" to break a sec-high sandbox escape rather than a vulnerability in its own right. We "want" it really really badly. It didn't seem fair or accurate to pile on a dozen "sec-high" sub-tasks for a single sandbox escape, but maybe that would have helped set the right level of urgency.

Type: defect → task
Whiteboard: [needed to fix sec-high sandbox escape]
Group: firefox-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [needed to fix sec-high sandbox escape] → [needed to fix sec-high sandbox escape][post-critsmash-triage]
Whiteboard: [needed to fix sec-high sandbox escape][post-critsmash-triage] → [needed to fix sec-high sandbox escape][post-critsmash-triage][adv-main68-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.