Closed Bug 1594679 Opened 6 years ago Closed 3 years ago

[Unix] Make nsOSHelperAppService::GetFromTypeAndExtension() not call OS MIME API's in content

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Linux
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox72 --- affected

People

(Reporter: gcp, Assigned: jld)

References

(Blocks 2 open bugs)

Details

Attachments

(1 obsolete file)

+++ This bug was initially created as a clone of Bug #1452278 +++

HTMLInputElement::SetFilePickerFiltersFromAccept() calls nsIMIMEService->GetFromTypeAndExtension() from content processes which ends up querying the OS for MIME/handler information. This causes problems for sandboxed content processes. We need to change the Linux version of nsOSHelperAppService::GetFromTypeAndExtension() so that it's safe to use from content processes.

Hm, I thought the documentchannel-related work would allow more of these decisions to happen in the parent (bug 1574372). How far along is that, and what's this work blocking? It'd be nice to not add more sync child-to-parent IPC, especially while doing network loads...

How far along is that,

I don't know anything whatsoever about that.

what's this work blocking?

Tightening the sandbox rules. Right now MIME lookup either pokes pretty nasty holes to see which executables are available or doesn't work correctly (typically both at the same time because). This patch remotes the MIME lookup to the parent. We've been shipping it on macOS for several releases, and this just uses the same codepath now on Unixy systems.

I'm a bit confused now (we discussed it on IRC with :gcp), as from what i can understand so far on OpenBSD the 'open file with its appropriate mime handler' is already done in the parent/main process, as with the unveil() work in bug #1580271 we've figured out that as long as the main process had access to /usr/local/bin/gio-launch-desktop files could be opened in external handlers. So for linux i dont really know what it changes, if it would separate the 'ask the os what is the mime handler' from the 'open the file with the mime handler' actions ? doesnt it use the mime handler registered/configured in firefox anyway ?

After some discussion this may not help as much as expected...I'd need to look better to understand if there's outstanding breakage on Linux too.

No longer depends on: 1589082

(In reply to Gian-Carlo Pascutto [:gcp] from comment #7)

After some discussion this may not help as much as expected...I'd need to look better to understand if there's outstanding breakage on Linux too.

The answer seems to be yes: bug 1763848.

gcp, do you want to try to pick this back up, or should I / someone else take a look?

Flags: needinfo?(gpascutto)
Assignee: nobody → jld
Flags: needinfo?(gpascutto)

Fixed in bug 1763848.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Attachment #9107180 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: