Closed Bug 1061136 Opened 10 years ago Closed 10 years ago

local (file://) links don't work if capability.policy.localfilelinks.sites without protocol and if only domain/only protocol

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Version:
31 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla35
Tracking Flags:
Tracking Status
firefox31 --- wontfix
firefox32 --- wontfix
firefox33 --- fixed
firefox34 --- fixed
firefox35 --- fixed
firefox-esr24 --- unaffected
firefox-esr31 33+ fixed

People

(Reporter: alice0775, Assigned: bholley)

References

Details

Attachments

(7 files, 2 obsolete files)

test html
69 bytes, text/html
Details
user.js
239 bytes, application/x-javascript
Details
user.js without protocol
231 bytes, application/x-javascript
Details
user.js only domain
220 bytes, application/x-javascript
Details
user.js only protocol
212 bytes, application/x-javascript
Details
Assume both http:// and https:// for schemeless URIs in CAPS prefs. v2
3.41 KB, patch
bzbarsky
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Sylvestre
: approval-mozilla-esr31+
Details | Diff | Splinter Review
Followup bugfix. v1
1.17 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Attached file test html
No description provided.
Attached file user.js
+++ This bug was initially created as a clone of Bug #995943 +++ Build Identifier: https://hg.mozilla.org/mozilla-central/rev/1db35d2c9a2f Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 ID:20140831030206 Firefox 28 works as expected. This bug exist since Firefox 31. Steps to reproduce: 1. Create a new profile and copy "user.js" attachment 8482203 [details] to the profile folder 2. Start browser 3. Open attachment 8482197 [details] 4. Click a link "file:///c:/windows/win.ini" --- nothing happens in Nightly34. It works as expected in Filrefox28. It works if a protocol is specified(see attachment 8482198 [details]). Actual Results: No thing happen Expected results: File c:/windows/win.ini contents should display.
Blocks: 913734
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: local (file://) links don't work even when configured for company's internal system → local (file://) links don't work if capability.policy.localfilelinks.sites without protocol
Blocks: 995943
Attached file user.js only domain
This also works in Firefox28. However, this dose not work in Firefox31 and later.
Summary: local (file://) links don't work if capability.policy.localfilelinks.sites without protocol → local (file://) links don't work if capability.policy.localfilelinks.sites without protocol or if only domain
Attached file user.js only protocol
This also works in Firefox28. However, this dose not work in Firefox31 and later.
Summary: local (file://) links don't work if capability.policy.localfilelinks.sites without protocol or if only domain → local (file://) links don't work if capability.policy.localfilelinks.sites without protocol and if only domain/only protocol
Flags: needinfo?(bobbyholley)
Protocol-only is WONTFIX for the reasons outlined in bug 1028321 comment 2. The "without protocol" case does seem like a potential pain-point. I think we can fix 95% of that pain by just assuming http:// there. I'll attach a patch.
Flags: needinfo?(bobbyholley)
Attachment #8483014 - Flags: review?(bzbarsky)
[Tracking Requested - why for this release]: We'll want this on esr31, since this is currently the last overlap cycle of esr31, and this has the potential to reduce pain when large organizations make the switch in 6 weeks.
tracking-firefox-esr31: --- → ?
Comment on attachment 8483014 [details] [diff] [review] Assume http:// for schemeless URIs in CAPS prefs. v1 r=me
Attachment #8483014 - Flags: review?(bzbarsky) → review+
So, after the above patch landing, Open local file from http://host.domain and https://host_ssl.domain_ssl (ssl site), Not supported format: https: http: --- was rejected by bug 1061128 comment#2? host_ssl.domain_ssl [1] domain domain_ssl [2] Supported format: http://host.domain https://host_ssl.domain_ssl --- was added by bug 1061128 host.domain --- will be added by this bug 1061136 What about [1] and [2]?
Hm, I guess it makes sense to add _both_ http:// and https:// to the whitelist in the case of schemeless domains. I'll attach an updated patch.
Attachment #8483014 - Attachment is obsolete: true
Attachment #8485320 - Flags: review?(bzbarsky)
Comment on attachment 8485320 [details] [diff] [review] Assume both http:// and https:// for schemeless URIs in CAPS prefs. v2 Yeah, makes sense.
Attachment #8485320 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/2092f7bd26d2
Assignee: nobody → bobbyholley
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Blocks: 1053725
This was a stupid error I introduced in this bug, whereby schemeless hosts cause subsequent sites to be ignored. I discovered it in bug 1053725, and incidentally the test changes made in that bug serve as test coverage for this patch. I know that serial landings in a single bug aren't all that kosher, but I think it's probably fine in this case, and simplifies things a bit when we uplift all this to esr.
Attachment #8486098 - Flags: review?(bzbarsky)
Comment on attachment 8486098 [details] [diff] [review] Followup bugfix. v1 Ouch. I should have caught that! r=me
Attachment #8486098 - Flags: review?(bzbarsky) → review+
Comment on attachment 8485320 [details] [diff] [review] Assume both http:// and https:// for schemeless URIs in CAPS prefs. v2 This request applies to both patches in this bug. It makes the enterprise pref configurations for local file:// links more backwards compatible. [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: When large organizations switch over to esr31, they're more likely to find that their old pref files don't work, wasting time both in diagnosis and in deploying a fix. Fix Landed on Version: 35 Risk to taking this patch (and alternatives if risky): Very low risk String or UUID changes made by this patch: None See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8485320 - Flags: approval-mozilla-esr31?
Comment on attachment 8485320 [details] [diff] [review] Assume both http:// and https:// for schemeless URIs in CAPS prefs. v2 See bug 1053725 comment 11. Don't forget the followup bugfix.
Attachment #8485320 - Flags: approval-mozilla-beta?
Attachment #8485320 - Flags: approval-mozilla-aurora?
Attachment #8485320 - Flags: approval-mozilla-esr31?
Attachment #8485320 - Flags: approval-mozilla-esr31+
Attachment #8485320 - Flags: approval-mozilla-beta?
Attachment #8485320 - Flags: approval-mozilla-beta+
Attachment #8485320 - Flags: approval-mozilla-aurora?
Attachment #8485320 - Flags: approval-mozilla-aurora+
Either this or bug 1053725 appears to have broken Marionette :( https://tbpl.mozilla.org/php/getParsedLog.php?id=48107396&tree=Mozilla-Esr31
Flags: needinfo?(bobbyholley)
Nevermind that, this is mozharness bustage.
Flags: needinfo?(bobbyholley)
Depends on: 1067340
No longer depends on: 1067340
Depends on: 1066718
Attachment #8489983 - Flags: review?(bzbarsky)
Comment on attachment 8489983 [details] [diff] [review] Get sIOService before invoking ReadPrefs. v1 Sorry, wrong bug.
Attachment #8489983 - Attachment is obsolete: true
Attachment #8489983 - Flags: review?(bzbarsky)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: