Closed Bug 1805305 Opened 2 years ago Closed 2 years ago

services.settings.server sometimes intentionally ignored; log something to avoid dev time-wastage

Categories

(Firefox :: Remote Settings Client, defect)

Product:
Firefox
Component:
Remote Settings Client
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox110 --- fixed

People

(Reporter: dmosedale, Assigned: dmosedale)

References

Details

Attachments

(1 file)

Bug 1805305 - log when services.settings.server is ignored, r?leplatrem
48 bytes, text/x-phabricator-request
Details | Review

In bug 1758645, the MOZ_REMOTE_SETTINGS_DEVTOOLS environment variable was added to make it possible to test different remote settings servers (eg stage) such that the services.settings.server would be read (rather than quietly ignored) in Nightly and Beta. I had to waste a bunch of time in order to realize that the problem was that the preference was being intentionally ignored, rather than there being some more direct kind of bug that was causing my problem.

I'm assuming this is for security reasons, so I've marked this bug private for now, though I'm a bit skeptical here.

I'd like to propose a log message explicitly mentioning MOZ_REMOTE_SETTINGS_DEVTOOLS if the pref is set and ignored, or, if we can't live with that, at least logging what server is being used, so that a developer has a chance of noticing what's going on without a bunch of unnecessary detective work.

I've added a straw-man patch which I can modify to be more appropriate, once I know what would be acceptable. Mathieu, how would you feel about a message that explicitly mentions the environment variable?

Flags: needinfo?(mathieu)
Group: partner-confidential → firefox-core-security

I'm sorry Dan if you wasted time on this. You're right, we could guide developers better.

such that the services.settings.server would be read (rather than quietly ignored) in Nightly and Beta.

Quick note: the services.settings.server pref is always read on Nightly and when running tests.
The env var is necessary on Beta and Release (source)

Mathieu, how would you feel about a message that explicitly mentions the environment variable?

I don't think it would be problematic. The env var is mentionned in the docs and in the code.
If an attacker gains enough privileges to modify environment variables on the machine, there's not much we can do.

I think it would make sense to output a warning message mentioning the env var when:

  • the server preference is set to a value different than AppConstants.REMOTE_SETTINGS_SERVER_URL
  • the env var is not set
  • we're not running tests

Maybe the appropriate place is the getter of allowServerURLOverride where almost all these info are available at hand

Flags: needinfo?(mathieu)
Assignee: nobody → dmosedale

I don't think it is necessary to hide this. I think the dangers of special testing environment variables are not that obscure.

Group: firefox-core-security
Attachment #9307917 - Attachment description: WIP: Bug 1805305 - add log so dev can see silent pref ignore → Bug 1805305 - log when services.settings.server is ignored, r?leplatrem
Pushed by dmosedale@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/30fc4653fdff log when services.settings.server is ignored, r=leplatrem

https://hg.mozilla.org/mozilla-central/rev/30fc4653fdff

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox110: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch
Regressions: 1806638
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: