Closed Bug 1616007 Opened 2 years ago Closed 10 months ago

Policies set via GPO can be bypassed/canceled by using an invalid policies.json file

Categories

(Firefox :: Enterprise Policies, defect, P1)

All
Windows 10
defect

Tracking

()

RESOLVED DUPLICATE of bug 1552600
Tracking Status
firefox73 --- unaffected
firefox74 --- verified
firefox75 --- verified

People

(Reporter: emilghitta, Assigned: mkaply)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 obsolete file)

Affected versions

  • Firefox 75.0a1 (BuildId:20200216210001)
  • Firefox 74.0b1 (BuildId:20200210140608)

Unaffected versions

  • Firefox 73.0 (BuildId:20200207195153)

Affected platforms

  • Windows 10 64bit.

Preconditions
Enable several policies via GPO (ex: Disable Private Browsing and Disable Firefox Screenshots)

Steps to reproduce

  1. Create a distribution folder inside your Firefox path.
  2. Add a policies.json file which contains invalid entries.
  3. Launch Firefox.
  4. Access the about:policies page.

Expected result

  • Policies that were previously set via GPO are being successfully displayed inside the about:policies page and they are successfully applied. (In this case Private Browsing and Firefox Screenshots should be disabled).

Actual result

  • Policies that were previously set via GPO are not applied ( In this case Private Browsing and Firefox Screenshots are enabled)

Regression Range

  • I think that this may have came with the changes performed in Bug 1552600

Note
Example of invalid policies.json file content:
{
"policies": {
"DisableTelemetry": true,
"DisableMasterPasswordCreation": true,
"Locke
}
}

Hi Mike,

I think that Bug 1552600 may have introduced this behavior.

Can you please take a look?

Thank you!

Flags: needinfo?(mozilla)
Keywords: regression
Assignee: nobody → mozilla
Status: NEW → ASSIGNED

Thanks!

Interesting enough, this bug was there in the very beginning of the policy engine, but was exposed by my patch:

https://searchfox.org/mozilla-esr60/source/browser/components/enterprisepolicies/EnterprisePolicies.js#364

Flags: needinfo?(mozilla)
Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/8bd615a461b7
Invalid hasPolicies check. r=mconley
Has Regression Range: --- → yes
Has STR: --- → yes

I've backed out the original patch while I do more investigation.

Flags: needinfo?(mozilla)
Priority: -- → P1

74 and 75 are fixed by the backout in bug 1552600, adjusting flags. it would be good to have QA verify that the backout did fix the problem here though.

I can confirm that the backout for Bug 1552600 fixes this issue.

Tested with Firefox 74.0b8 (BuildId:20200226031638) and Firefox 75.0a1 (BuildId:20200226092757).

Mike. Should we address the follow up work for this underlying issue in another place? (Should I file a new issue or a task maybe?)

Thank you!

Flags: qe-verify+ → needinfo?(mozilla)

I think we should just leave this for now and I'll double check it when I redo bug 1552600

Flags: needinfo?(mozilla)
Attachment #9127320 - Attachment is obsolete: true

I'm finally fixing bug 1552600 and I'm duping this to this to that bug because I fixed this specific case and I added a test for it.

Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1552600
You need to log in before you can comment on or make changes to this bug.