Closed Bug 304833 Opened 20 years ago Closed 20 years ago

help: doesn't work on linux (MacOS security issue)

Categories

(Core :: Networking, defect, P1)

Product:
Core
Component:
Networking
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: clahey, Assigned: Biesinger)

References

(
URL
)

Details

(Keywords: fixed1.8)

Attachments

(1 file)

patch
1.08 KB, patch
benjamin
: review+
roc
: superreview+
asa
: approval1.8b4+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050715 Firefox/1.0.6 SUSE/1.0.6-8 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050715 Firefox/1.0.6 SUSE/1.0.6-8 help: was blacklisted because of a security hole on MacOS. However, on linux, help: is used in KDE and probably will be in gnome soon. Therefore, help: should only be blacklisted on MacOS. Reproducible: Always Steps to Reproduce: 1. Link to a help: uri. Actual Results: Doesn't show up as a link. Expected Results: Shown a link.
Component: OS Integration → Networking
Product: Firefox → Core
Version: unspecified → 1.7 Branch
Version: 1.7 Branch → Trunk
bug 243699 added this pref
Assignee: nobody → darin
Priority: -- → P1
QA Contact: os.integration → benc
Target Milestone: --- → mozilla1.8beta4
Attached patch patchSplinter Review
Assignee: darin → cbiesinger
Status: UNCONFIRMED → ASSIGNED
Attachment #192832 - Flags: superreview?(dveditz)
Attachment #192832 - Flags: review?(benjamin)
Attachment #192832 - Flags: review?(benjamin) → review+
This particular symptom only happens in 1.7. In 1.8 and later, the situation is different because for a blocked protocol we still allow the URI to be created, we just assign it a "blocked" protocol handler. Although this could would be a problem if we want GNOME or KDE to be able to really load "help:" URLs from the browser via an external protocol handler. Do we? If we don't, or we only want help: URLs to work in particlar embedding applications, then I suggest we *not* use this fix. A particular embedding application could use a profile where this preference was explicitly set to true.
Comment on attachment 192832 [details] [diff] [review] patch dveditz is on vacation, switching sr request I think we still want this. For example, when browsing local documentation, it may want to link to a help file.
Attachment #192832 - Flags: superreview?(dveditz) → superreview?(roc)
Comment on attachment 192832 [details] [diff] [review] patch ok. this is safe enough as far as we know.
Attachment #192832 - Flags: superreview?(roc) → superreview+
Checking in modules/libpref/src/init/all.js; /cvsroot/mozilla/modules/libpref/src/init/all.js,v <-- all.js new revision: 3.589; previous revision: 3.588 done
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment on attachment 192832 [details] [diff] [review] patch allows loading help: uris on non-macos systems; this should be safe since the security issue is only with help: uris on macos.
Attachment #192832 - Flags: approval1.8b4?
Attachment #192832 - Flags: approval1.8b4? → approval1.8b4+
approving but this would have been nice to have nominated earlier in the cycle.
Flags: blocking1.8b4+
sorry, this bug was only pointed out to me a week ago. MOZILLA_1_8_BRANCH: Checking in modules/libpref/src/init/all.js; /cvsroot/mozilla/modules/libpref/src/init/all.js,v <-- all.js new revision: 3.585.2.3; previous revision: 3.585.2.2 done
Keywords: fixed1.8
Can someone explain to me... what is the valid format of a help: URL? The big problem here is apple went and created a couple lame URL types for their OS. (Then again, Netscape probably was the originator of this bad practice)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: