Blocked about pages in policy can be bypassed by modifying the URL with mixed case
Categories
(Firefox :: Enterprise Policies, defect, P1)
Tracking
()
People
(Reporter: mkaply, Assigned: mkaply)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
If you block about:config via policy, then go to the URL and explicitly change the c in config to C, you can view about:config.
This bypasses the autocomplete which forces it to about:config.
Assignee | ||
Comment 1•3 years ago
|
||
I'm going to make sure about:reader does the right thing as well even though doing about:READER?url=https://www.yahoo.com doesn't work - see bug 1750220
Assignee | ||
Comment 2•3 years ago
|
||
Comment 3•3 years ago
|
||
Is that a regression? Does it affect ESR?
Assignee | ||
Comment 4•3 years ago
|
||
Is that a regression?
Yes, but it happened a long time ago (Firefox 84)
Does it affect ESR?
Yes.
Updated•3 years ago
|
Comment 6•3 years ago
|
||
bugherder |
Comment 7•3 years ago
|
||
Set release status flags based on info from the regressing bug 1559181
Updated•3 years ago
|
Assignee | ||
Comment 8•3 years ago
|
||
Comment on attachment 9259123 [details]
Bug 1750221 - Block mixed case about URLs in policy. r?mstriemer,mtigley
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Policy only
- User impact if declined: User can bypass blocked about pages
- Fix Landed on Version: 98
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Policy, lots of automated tests
Beta/Release Uplift Approval Request
- User impact if declined: User can bypass blocked about pages
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: Steps in bug
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Policy only, lots of automated tests
- String changes made/needed:
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 9•3 years ago
|
||
Comment on attachment 9259123 [details]
Bug 1750221 - Block mixed case about URLs in policy. r?mstriemer,mtigley
Approved for 97.0b6.
Comment 10•3 years ago
|
||
bugherder uplift |
Comment 11•3 years ago
|
||
Comment on attachment 9259123 [details]
Bug 1750221 - Block mixed case about URLs in policy. r?mstriemer,mtigley
Approved for 91.6esr.
Comment 12•3 years ago
|
||
bugherder uplift |
Updated•3 years ago
|
Comment 13•3 years ago
|
||
This is verified fixed using Firefox 98.0a1 (BuildID:20220127213627), 97.0b9 (BuildId:20220127193706) and Firefox 91.6.0esr (provided in comment 12) on Windows 10 64bit, macOS 11 & Ubuntu 18.04.
Verified that about pages like about:addons, about:config and about:profiles can no longer be bypassed via mixed cases on Windows 10 64bit (using both policies.json & GPO), Ubuntu 18.04 (via json) & macOS 11 (via json).
Updated•3 years ago
|
Description
•