Closed
Bug 1258549
Opened 9 years ago
Closed 9 years ago
Fennec prefs contain insecure links for about: pages
Categories
(Firefox for Android Graveyard :: General, defect)
Firefox for Android Graveyard
General
Tracking
(firefox48 verified, firefox49 verified, firefox50 verified)
VERIFIED
FIXED
Firefox 50
People
(Reporter: dveditz, Assigned: ahunt)
References
(Blocks 1 open bug)
Details
(Keywords: sec-low, Whiteboard: [adv-main48-])
Attachments
(2 files)
|
5.04 KB,
patch
|
Margaret
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
|
1.86 KB,
patch
|
Margaret
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1257744 +++
Firefox for Android has several insecure (http:) links in its pref file
app.support.baseURL
http://support.mozilla.org/1/mobile/%VERSION%/%OS%/%LOCALE%/
app.creditsURL
http://www.mozilla.org/credits/
app.channelURL
http://www.mozilla.org/%LOCALE%/firefox/channel/
app.releaseNotesURL
http://www.mozilla.com/%LOCALE%/mobile/%VERSION%/auroranotes/
http://www.mozilla.com/%LOCALE%/mobile/%VERSION%beta/releasenotes/
http://www.mozilla.com/%LOCALE%/mobile/%VERSION%/releasenotes/
All of those resources can be loaded securely by changing http: to https:
The B2GDroid default prefs have a copy of these plus the addition pref
app.faqURL
http://www.mozilla.com/%LOCALE%/mobile/beta/faq/
http://www.mozilla.com/%LOCALE%/mobile/faq/
|
||
Updated•9 years ago
|
Assignee: nobody → margaret.leibovic
|
|
||
Comment 1•9 years ago
|
||
ahunt, do you want to write a quick patch for this? I haven't had time to get to this myself.
Assignee: margaret.leibovic → ahunt
Flags: needinfo?(ahunt)
|
Assignee | |
Comment 2•9 years ago
|
||
All our licence headers contain a link to http://mozilla.org/MPL/2.0/ - upgrading that to https would make it easier to grep for this sort of thing, but might be noisy - is it worth doing that too?
Flags: needinfo?(ahunt)
|
|
Assignee | |
Comment 3•9 years ago
|
||
Attachment #8759768 -
Flags: review?(margaret.leibovic)
|
|
Assignee | |
Comment 4•9 years ago
|
||
Attachment #8759772 -
Flags: review?(margaret.leibovic)
|
|
Assignee | |
Updated•9 years ago
|
Status: NEW → ASSIGNED
|
|
||
Comment 5•9 years ago
|
||
Comment on attachment 8759768 [details] [diff] [review]
Upgrade fennec support links
Review of attachment 8759768 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks.
Attachment #8759768 -
Flags: review?(margaret.leibovic) → review+
|
|
||
Comment 6•9 years ago
|
||
Comment on attachment 8759772 [details] [diff] [review]
Update b2g support links
Review of attachment 8759772 [details] [diff] [review]:
-----------------------------------------------------------------
Not sure if this is even used anymore, but hey, why not.
Attachment #8759772 -
Flags: review?(margaret.leibovic) → review+
|
|
||
Comment 7•9 years ago
|
||
(In reply to Andrzej Hunt :ahunt from comment #2)
> All our licence headers contain a link to http://mozilla.org/MPL/2.0/ -
> upgrading that to https would make it easier to grep for this sort of thing,
> but might be noisy - is it worth doing that too?
Hm, that seems like something that should updated in the boilerplate as well in that case.
Could be worth filing another (non-security) bug about this, and you could ask gerv what he thinks.
|
|
Assignee | |
Comment 8•9 years ago
|
||
https://hg.mozilla.org/integration/fx-team/rev/41115c9571f20cf168e85315c359a8ab40365a69
Bug 1258549 - Upgrade fennec support links r=margaret
https://hg.mozilla.org/integration/fx-team/rev/2bcd6f6c4cac57b9bf7d0df2ce6f944ff2519628
Bug 1258549 - Upgrade b2g support links r=margaret
|
||
Comment 9•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/41115c9571f2
https://hg.mozilla.org/mozilla-central/rev/2bcd6f6c4cac
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 50
|
Reporter | |
Updated•9 years ago
|
Group: firefox-core-security → core-security-release
|
|
Assignee | |
Comment 11•9 years ago
|
||
Comment on attachment 8759768 [details] [diff] [review]
Upgrade fennec support links
Approval Request Comment
[Feature/regressing bug #]: n/a
[User impact if declined]: Support links use http / will be loaded insecurely. (Based on my incomplete knowledge this means they could be intercepted/spoofed/etc, I don't have access to the original bug.)
[Describe test coverage new/current, TreeHerder]: none
[Risks and why]: low risk: support links updated to https from http.
[String/UUID change made/needed]: none.
Flags: needinfo?(ahunt)
Attachment #8759768 -
Flags: approval-mozilla-beta?
Attachment #8759768 -
Flags: approval-mozilla-aurora?
|
||
Updated•9 years ago
|
status-firefox48:
--- → affected
status-firefox49:
--- → affected
|
|
||
Comment 12•9 years ago
|
||
Comment on attachment 8759768 [details] [diff] [review]
Upgrade fennec support links
Low risk, fix a sec-low issue, taking it.
Should be in 48 beta 4
Attachment #8759768 -
Flags: approval-mozilla-beta?
Attachment #8759768 -
Flags: approval-mozilla-beta+
Attachment #8759768 -
Flags: approval-mozilla-aurora?
Attachment #8759768 -
Flags: approval-mozilla-aurora+
|
|
||
Comment 13•9 years ago
|
||
|
||
Comment 14•9 years ago
|
||
Verified as fixed on Firefox 48 Beta 4, all the links are upgraded to https
|
||
Updated•9 years ago
|
Whiteboard: [adv-main48-]
|
|
||
Comment 15•9 years ago
|
||
Verified on latest Aurora and Nightly build, all the links are upgraded to https.
|
|
Reporter | |
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•