Closed Bug 1477070 Opened 6 years ago Closed 6 years ago

checkIdentity in GeckoViewProgress may need additional state check

Categories

(GeckoView :: General, defect, P1)

60 Branch
defect

Tracking

(geckoview62 wontfix, geckoview64 fixed, firefox63 wontfix, firefox64 fixed, firefox65 fixed)

RESOLVED FIXED
mozilla65
Tracking Status
geckoview62 --- wontfix
geckoview64 --- fixed
firefox63 --- wontfix
firefox64 --- fixed
firefox65 --- fixed

People

(Reporter: dipen, Assigned: droeh)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180605171542 Steps to reproduce: This potential code issue was identified in a code review of https://bugzilla.mozilla.org/show_bug.cgi?id=1475647 The function currently checks against STATE_IS_BROKEN and returns insecure result. It may also need to check against STATE_IS_INSECURE. Otherwise a null exception may occur below trying to access attributes of secInfo.
I'm assigning a component, based on the bug mentioned in the description.
Component: Untriaged → Security: PSM
Product: Firefox → Core
Component: Security: PSM → GeckoView
Product: Core → Firefox for Android
Assignee: nobody → droeh
Priority: -- → P1
Attachment #9020832 - Flags: review?(snorp)
Attachment #9020832 - Flags: review?(snorp) → review+
Pushed by droeh@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/db4262ced509 Add STATE_IS_INSECURE check to checkIdentity in GeckoViewProgress.jsm r=snorp
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 65
Is this something we should consider backporting to 64 or can it ride the trains?
Flags: needinfo?(droeh)
Comment on attachment 9020832 [details] [diff] [review] Add STATE_IS_INSECURE check [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: None User impact if declined: GeckoView apps will potentially mis-report a site's security status in some circumstances. Is this code covered by automated tests?: No Has the fix been verified in Nightly?: No Needs manual test from QE?: No If yes, steps to reproduce: List of other uplifts needed: None Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): It's very low risk as it simply adds an additional check on the state of the web progress listener that should have been there in the first place. String changes made/needed: None.
Flags: needinfo?(droeh)
Attachment #9020832 - Flags: approval-mozilla-beta?
Comment on attachment 9020832 [details] [diff] [review] Add STATE_IS_INSECURE check [Triage Comment] Avoids GeckoView apps potentially mis-reporting a site's security status. Approved for 64.0b7.
Attachment #9020832 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
status-geckoview64=fixed
Product: Firefox for Android → GeckoView
Version: 60 Branch → Firefox 60
Version: Firefox 60 → 60 Branch
Target Milestone: Firefox 65 → mozilla65
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: