Newsgroups "Click here to remove all expired articles" should be in chrome UI, not in content
Categories
(MailNews Core :: Networking: NNTP, defect)
Tracking
(Not tracked)
People
(Reporter: BenB, Assigned: welpy-cw)
References
(Depends on 1 open bug)
Details
(Keywords: regression, Whiteboard: [regression:TB52])
Attachments
(1 file)
| Reporter | ||
Updated•9 years ago
|
Comment 1•9 years ago
|
||
Updated•9 years ago
|
| Reporter | ||
Comment 2•9 years ago
|
||
Comment 3•9 years ago
|
||
Comment 4•9 years ago
|
||
Comment 5•9 years ago
|
||
Comment 6•9 years ago
|
||
Updated•3 years ago
|
| Assignee | ||
Comment 7•18 days ago
|
||
The "Remove All Expired Articles" button in about:newserror previously
worked by navigating to a news:// URL with a ?list-ids query parameter
that NntpChannel interpreted specially. Replace this with a direct method
call on NntpIncomingServer to close a theoretical injection path
where a crafted news: URI could trigger privileged operations.
Changes:
- Add NntpIncomingServer.removeExpiredArticles(groupName) which uses
LISTGROUP to fetch current article keys from the server and removes
any local keys no longer present. - Update newsError.js to call the new method directly instead of
navigating to a news:?list-ids URL. - Remove the ?list-ids handling and _removeExpired() from NntpChannel.
- Add xpcshell test for removeExpiredArticles.
- Remove the now-obsolete test_listIds test.
Updated•18 days ago
|
| Reporter | ||
Comment 8•18 days ago
|
||
@Hartmut: Thanks for fixing the old security bug!
I also appreciate that you found this bug report and fix it here, instead of just ingoring the old bugs and filing new bugs all the time.
How about "Download the rest of the message" in POP? That button is in content, too, right?
| Assignee | ||
Comment 10•18 days ago
|
||
(In reply to Ben Bucksch (:BenB) from comment #8)
@Hartmut: Thanks for fixing the old security bug!
I also appreciate that you found this bug report and fix it here, instead of just ingoring the old bugs and filing new bugs all the time.
My pleasure. While 'news:' URIs from non-privileged sources are sanitized since bug 1886132, so that a news message spoofing an news:error page wouldn't mean any actual harm anymore, having this expire action still even relying on a URI doesn't make much sense.
| Assignee | ||
Comment 11•18 days ago
|
||
(In reply to Francesco from comment #9)
How about "Download the rest of the message" in POP? That button is in content, too, right?
I think such a message could be as easily spoofed, but I don't know it there is an actual attack vector. Isn't there already be a distinct bug for that?
| Assignee | ||
Updated•17 days ago
|
Comment 12•17 days ago
|
||
Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/91639fef0c0b
Replace NNTP ?list-ids URL mechanism with direct removeExpiredArticles API. r=mkmelin
Description
•