Closed Bug 1477070 Opened Last year Closed 10 months ago

checkIdentity in GeckoViewProgress may need additional state check

Categories

(GeckoView :: General, defect, P1)

60 Branch
defect

Tracking

(geckoview62 wontfix, geckoview64 fixed, firefox63 wontfix, firefox64 fixed, firefox65 fixed)

RESOLVED FIXED
mozilla65
Tracking Status
geckoview62 --- wontfix
geckoview64 --- fixed
firefox63 --- wontfix
firefox64 --- fixed
firefox65 --- fixed

People

(Reporter: dipen, Assigned: droeh)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180605171542

Steps to reproduce:

This potential code issue was identified in a code review of https://bugzilla.mozilla.org/show_bug.cgi?id=1475647

The function currently checks against STATE_IS_BROKEN and returns insecure result.  It may also need to check against STATE_IS_INSECURE.  Otherwise a null exception may occur below trying to access attributes of secInfo.
I'm assigning a component, based on the bug mentioned in the description.
Component: Untriaged → Security: PSM
Product: Firefox → Core
Component: Security: PSM → GeckoView
Product: Core → Firefox for Android
Assignee: nobody → droeh
Priority: -- → P1
Attachment #9020832 - Flags: review?(snorp)
Attachment #9020832 - Flags: review?(snorp) → review+
Pushed by droeh@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/db4262ced509
Add STATE_IS_INSECURE check to checkIdentity in GeckoViewProgress.jsm r=snorp
https://hg.mozilla.org/mozilla-central/rev/db4262ced509
Status: UNCONFIRMED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 65
Is this something we should consider backporting to 64 or can it ride the trains?
Flags: needinfo?(droeh)
Comment on attachment 9020832 [details] [diff] [review]
Add STATE_IS_INSECURE check

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: None

User impact if declined: GeckoView apps will potentially mis-report a site's security status in some circumstances.

Is this code covered by automated tests?: No

Has the fix been verified in Nightly?: No

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): It's very low risk as it simply adds an additional check on the state of the web progress listener that should have been there in the first place.

String changes made/needed: None.
Flags: needinfo?(droeh)
Attachment #9020832 - Flags: approval-mozilla-beta?
Comment on attachment 9020832 [details] [diff] [review]
Add STATE_IS_INSECURE check

[Triage Comment]
Avoids GeckoView apps potentially mis-reporting a site's security status. Approved for 64.0b7.
Attachment #9020832 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
status-geckoview64=fixed
Product: Firefox for Android → GeckoView
Version: 60 Branch → Firefox 60
Version: Firefox 60 → 60 Branch
Target Milestone: Firefox 65 → mozilla65
You need to log in before you can comment on or make changes to this bug.