Closed Bug 1576616 Opened 1 year ago Closed 1 year ago

Should not treat JNLP files as Executables (revert bug 1392955) on ESR-68

Categories

(Firefox :: File Handling, defect)

68 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 70+ fixed
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix

People

(Reporter: pieter.breugelmans, Assigned: Gijs)

References

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

The fix introduced by bug 1392955 (CVE-2019-11696) seems to add any file with a .jnlp extension to a larger list of files Firefox treats as an executable. This results in a default behavior to save and launch the .jnlp files from the operating system (on Windows). If an end user sets up a Firefox option, they are allowed to launch a .jnlp file from the browser, but they still get a scary warning message every single time they try to launch a file with a .jnlp extension.

A file with a .jnlp extension is merely an XML document that describes a Java application (https://docs.oracle.com/javase/8/docs/technotes/guides/javaws/developersguide/syntax.html). It is not an "executable". We think treating .jnlp files as an executable is an oversight. Java product management has explained the layers of security checks performed by the Java platform itself, before allowing any code referenced in a .jnlp file to actually run, in the following comment in the original CVE:

https://bugzilla.mozilla.org/show_bug.cgi?id=1392955#c16

They have also highlighted the comparison between Microsoft Word documents and .jnlp files.

We are filing this issue so files with .jnlp extensions are treated as they always were, i.e. reverted back to the prior behavior.

Bugs can be reopened; I'm duping this back to bug 1392955, no point splitting the conversation. We're considering options, I'll respond in the other bug once we reach a conclusion.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2019-11696
Component: Untriaged → File Handling

We will remove JNLP from the list on esr68. We'll update the other bug with more details.

Assignee: nobody → gijskruitbosch+bugs
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: DUPLICATE → ---
Summary: CVE 2019-11696 Should not treat JNLP files as Executables → Should not treat JNLP files as Executables (revert bug 1392955)

Comment on attachment 9088258 [details]
Bug 1576616 - remove JNLP as an executable extension on esr68, r?dveditz,a=?

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: We broke enterprise use of JNLP
  • User impact if declined: Bad experience using JNLP, users forced to migrate to other browsers
  • Fix Landed on Version: n/a
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): We're just removing jnlp from the list of objectionable extensions. This brings windows in line with mac/linux and other browsers (sort of) in terms of warnings wrt JNLP files.

Note that we do not currently plan to land this change on trunk/nightly, nor therefore non-esr 68/69 release. I think Dan will post a more elaborate comment on the original bug with rationale. We're hoping to make more significant changes to our executable handling in the near future, but that won't be possible on ESR, so this is our only option to unbreak enterprises who rely on this for productivity.

  • String or UUID changes made by this patch: nope
Attachment #9088258 - Flags: approval-mozilla-esr68?

Ryan, given this bug isn't fixed on any other branches, unsure if this gets flagged up on your approval queries, so pinging you directly - I think you and Dan already discussed this bug.

Flags: needinfo?(ryanvm)

I suggested to Dan that we take this as a ride-along to whatever ESR68 build we create next (noting that we already built the 68.1esr RC today) but ultimately it's Julien's call as the owner of this release. Given that we aren't force-migrating users from ESR60 to ESR68 until 68.2esr in October, I'm not sure this warrants respinning the 68.1esr builds on its own.

Flags: needinfo?(ryanvm) → needinfo?(jcristau)

This bug (a simple back-out) has been made specific to ESR-68. For discussion going forward please see bug 1576762

See Also: → 1576762
Summary: Should not treat JNLP files as Executables (revert bug 1392955) → Should not treat JNLP files as Executables (revert bug 1392955) on ESR-68

Comment on attachment 9088258 [details]
Bug 1576616 - remove JNLP as an executable extension on esr68, r?dveditz,a=?

approved for 68.2

Attachment #9088258 - Flags: approval-mozilla-esr68? → approval-mozilla-esr68+
Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.