Closed Bug 1258549 Opened 4 years ago Closed 3 years ago

Fennec prefs contain insecure links for about: pages

Categories

(Firefox for Android :: General, defect)

defect
Not set

Tracking

()

VERIFIED FIXED
Firefox 50
Tracking Status
firefox48 --- verified
firefox49 --- verified
firefox50 --- verified

People

(Reporter: dveditz, Assigned: ahunt)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: sec-low, Whiteboard: [adv-main48-])

Attachments

(2 files)

+++ This bug was initially created as a clone of Bug #1257744 +++

Firefox for Android has several insecure (http:) links in its pref file

app.support.baseURL
http://support.mozilla.org/1/mobile/%VERSION%/%OS%/%LOCALE%/

app.creditsURL
http://www.mozilla.org/credits/

app.channelURL
http://www.mozilla.org/%LOCALE%/firefox/channel/

app.releaseNotesURL
http://www.mozilla.com/%LOCALE%/mobile/%VERSION%/auroranotes/
http://www.mozilla.com/%LOCALE%/mobile/%VERSION%beta/releasenotes/
http://www.mozilla.com/%LOCALE%/mobile/%VERSION%/releasenotes/

All of those resources can be loaded securely by changing http: to https:

The B2GDroid default prefs have a copy of these plus the addition pref

app.faqURL
http://www.mozilla.com/%LOCALE%/mobile/beta/faq/
http://www.mozilla.com/%LOCALE%/mobile/faq/
Assignee: nobody → margaret.leibovic
ahunt, do you want to write a quick patch for this? I haven't had time to get to this myself.
Assignee: margaret.leibovic → ahunt
Flags: needinfo?(ahunt)
All our licence headers contain a link to http://mozilla.org/MPL/2.0/ - upgrading that to https would make it easier to grep for this sort of thing, but might be noisy - is it worth doing that too?
Flags: needinfo?(ahunt)
Attachment #8759768 - Flags: review?(margaret.leibovic)
Attachment #8759772 - Flags: review?(margaret.leibovic)
Status: NEW → ASSIGNED
Comment on attachment 8759768 [details] [diff] [review]
Upgrade fennec support links

Review of attachment 8759768 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks.
Attachment #8759768 - Flags: review?(margaret.leibovic) → review+
Comment on attachment 8759772 [details] [diff] [review]
Update b2g support links

Review of attachment 8759772 [details] [diff] [review]:
-----------------------------------------------------------------

Not sure if this is even used anymore, but hey, why not.
Attachment #8759772 - Flags: review?(margaret.leibovic) → review+
(In reply to Andrzej Hunt :ahunt from comment #2)
> All our licence headers contain a link to http://mozilla.org/MPL/2.0/ -
> upgrading that to https would make it easier to grep for this sort of thing,
> but might be noisy - is it worth doing that too?

Hm, that seems like something that should updated in the boilerplate as well in that case.

Could be worth filing another (non-security) bug about this, and you could ask gerv what he thinks.
https://hg.mozilla.org/mozilla-central/rev/41115c9571f2
https://hg.mozilla.org/mozilla-central/rev/2bcd6f6c4cac
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 50
Group: firefox-core-security → core-security-release
Should we uplift this? Seems low risk.
Flags: needinfo?(ahunt)
Comment on attachment 8759768 [details] [diff] [review]
Upgrade fennec support links

Approval Request Comment
[Feature/regressing bug #]: n/a
[User impact if declined]: Support links use http / will be loaded insecurely. (Based on my incomplete knowledge this means they could be intercepted/spoofed/etc, I don't have access to the original bug.)
[Describe test coverage new/current, TreeHerder]: none
[Risks and why]: low risk: support links updated to https from http.
[String/UUID change made/needed]: none.
Flags: needinfo?(ahunt)
Attachment #8759768 - Flags: approval-mozilla-beta?
Attachment #8759768 - Flags: approval-mozilla-aurora?
Comment on attachment 8759768 [details] [diff] [review]
Upgrade fennec support links

Low risk, fix a sec-low issue, taking it.
Should be in 48 beta 4
Attachment #8759768 - Flags: approval-mozilla-beta?
Attachment #8759768 - Flags: approval-mozilla-beta+
Attachment #8759768 - Flags: approval-mozilla-aurora?
Attachment #8759768 - Flags: approval-mozilla-aurora+
Verified as fixed on Firefox 48 Beta 4, all the links are upgraded to https
Whiteboard: [adv-main48-]
Verified on latest Aurora and Nightly build, all the links are upgraded to https.
Status: RESOLVED → VERIFIED
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.