Closed
Bug 1258549
Opened 8 years ago
Closed 8 years ago
Fennec prefs contain insecure links for about: pages
Categories
(Firefox for Android Graveyard :: General, defect)
Firefox for Android Graveyard
General
Tracking
(firefox48 verified, firefox49 verified, firefox50 verified)
VERIFIED
FIXED
Firefox 50
People
(Reporter: dveditz, Assigned: ahunt)
References
(Blocks 1 open bug)
Details
(Keywords: sec-low, Whiteboard: [adv-main48-])
Attachments
(2 files)
5.04 KB,
patch
|
Margaret
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
1.86 KB,
patch
|
Margaret
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1257744 +++ Firefox for Android has several insecure (http:) links in its pref file app.support.baseURL http://support.mozilla.org/1/mobile/%VERSION%/%OS%/%LOCALE%/ app.creditsURL http://www.mozilla.org/credits/ app.channelURL http://www.mozilla.org/%LOCALE%/firefox/channel/ app.releaseNotesURL http://www.mozilla.com/%LOCALE%/mobile/%VERSION%/auroranotes/ http://www.mozilla.com/%LOCALE%/mobile/%VERSION%beta/releasenotes/ http://www.mozilla.com/%LOCALE%/mobile/%VERSION%/releasenotes/ All of those resources can be loaded securely by changing http: to https: The B2GDroid default prefs have a copy of these plus the addition pref app.faqURL http://www.mozilla.com/%LOCALE%/mobile/beta/faq/ http://www.mozilla.com/%LOCALE%/mobile/faq/
Updated•8 years ago
|
Assignee: nobody → margaret.leibovic
Comment 1•8 years ago
|
||
ahunt, do you want to write a quick patch for this? I haven't had time to get to this myself.
Assignee: margaret.leibovic → ahunt
Flags: needinfo?(ahunt)
Assignee | ||
Comment 2•8 years ago
|
||
All our licence headers contain a link to http://mozilla.org/MPL/2.0/ - upgrading that to https would make it easier to grep for this sort of thing, but might be noisy - is it worth doing that too?
Flags: needinfo?(ahunt)
Assignee | ||
Comment 3•8 years ago
|
||
Attachment #8759768 -
Flags: review?(margaret.leibovic)
Assignee | ||
Comment 4•8 years ago
|
||
Attachment #8759772 -
Flags: review?(margaret.leibovic)
Assignee | ||
Updated•8 years ago
|
Status: NEW → ASSIGNED
Comment 5•8 years ago
|
||
Comment on attachment 8759768 [details] [diff] [review] Upgrade fennec support links Review of attachment 8759768 [details] [diff] [review]: ----------------------------------------------------------------- Thanks.
Attachment #8759768 -
Flags: review?(margaret.leibovic) → review+
Comment 6•8 years ago
|
||
Comment on attachment 8759772 [details] [diff] [review] Update b2g support links Review of attachment 8759772 [details] [diff] [review]: ----------------------------------------------------------------- Not sure if this is even used anymore, but hey, why not.
Attachment #8759772 -
Flags: review?(margaret.leibovic) → review+
Comment 7•8 years ago
|
||
(In reply to Andrzej Hunt :ahunt from comment #2) > All our licence headers contain a link to http://mozilla.org/MPL/2.0/ - > upgrading that to https would make it easier to grep for this sort of thing, > but might be noisy - is it worth doing that too? Hm, that seems like something that should updated in the boilerplate as well in that case. Could be worth filing another (non-security) bug about this, and you could ask gerv what he thinks.
Assignee | ||
Comment 8•8 years ago
|
||
https://hg.mozilla.org/integration/fx-team/rev/41115c9571f20cf168e85315c359a8ab40365a69 Bug 1258549 - Upgrade fennec support links r=margaret https://hg.mozilla.org/integration/fx-team/rev/2bcd6f6c4cac57b9bf7d0df2ce6f944ff2519628 Bug 1258549 - Upgrade b2g support links r=margaret
Comment 9•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/41115c9571f2 https://hg.mozilla.org/mozilla-central/rev/2bcd6f6c4cac
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 50
Reporter | ||
Updated•8 years ago
|
Group: firefox-core-security → core-security-release
Assignee | ||
Comment 11•8 years ago
|
||
Comment on attachment 8759768 [details] [diff] [review] Upgrade fennec support links Approval Request Comment [Feature/regressing bug #]: n/a [User impact if declined]: Support links use http / will be loaded insecurely. (Based on my incomplete knowledge this means they could be intercepted/spoofed/etc, I don't have access to the original bug.) [Describe test coverage new/current, TreeHerder]: none [Risks and why]: low risk: support links updated to https from http. [String/UUID change made/needed]: none.
Flags: needinfo?(ahunt)
Attachment #8759768 -
Flags: approval-mozilla-beta?
Attachment #8759768 -
Flags: approval-mozilla-aurora?
Updated•8 years ago
|
status-firefox48:
--- → affected
status-firefox49:
--- → affected
Comment 12•8 years ago
|
||
Comment on attachment 8759768 [details] [diff] [review] Upgrade fennec support links Low risk, fix a sec-low issue, taking it. Should be in 48 beta 4
Attachment #8759768 -
Flags: approval-mozilla-beta?
Attachment #8759768 -
Flags: approval-mozilla-beta+
Attachment #8759768 -
Flags: approval-mozilla-aurora?
Attachment #8759768 -
Flags: approval-mozilla-aurora+
Comment 13•8 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/af923f4926e7 https://hg.mozilla.org/releases/mozilla-beta/rev/2091f8c1a940
Comment 14•8 years ago
|
||
Verified as fixed on Firefox 48 Beta 4, all the links are upgraded to https
Updated•8 years ago
|
Whiteboard: [adv-main48-]
Comment 15•8 years ago
|
||
Verified on latest Aurora and Nightly build, all the links are upgraded to https.
Reporter | ||
Updated•7 years ago
|
Group: core-security-release
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•