51.54 KB, image/png
51.40 KB, image/png
4.52 KB, patch
|Details | Diff | Splinter Review|
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030730 Mozilla Firebird/0.6.1 An XPI with a very long filename pushes the Cancel button off the screen, making it look like Install is the only button [screenshot 1]. A slightly longer filename pushes enough of the Install button off of the screen that you can't tell what the button says [screenshot 2]. This is a security hole. I would expect to have a high success rate with this attack, even though the "close window" button in the titlebar is still available.
ssu, do you have cycles to work on this?
blake or ben, can you look at this. it doesn't look very difficult.
Flags: blocking1.5? → blocking1.5+
note, the file in question is http://lxr.mozilla.org/mozilla/source/xpinstall/res/content/institems.xul
bad things can still happen if you make this dialog too narrow. also, this uses window and not dialog (it must be one of the old, old dialogs) let me look into that.
Created attachment 130701 [details] [diff] [review] patch
Attachment #130697 - Attachment is obsolete: true
Comment on attachment 130701 [details] [diff] [review] patch firstname.lastname@example.org
Attachment #130701 - Flags: review+
Created attachment 130702 [details] [diff] [review] updated patch
Attachment #130701 - Attachment is obsolete: true
Assignee: ssu → sspitzer
fixed, thanks to ben for the review.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
Comment on attachment 130702 [details] [diff] [review] updated patch a=asa (on behalf of drivers) for checkin to Mozilla 1.5
Attachment #130702 - Flags: approval1.5+
the current UI for dialog is: <name> <cert name> <full url> you can still run into some less than desirable appearance issues if any of those are overly long (but at least the buttons will be on screen). I'm sure the UI could be improved, and I'll log a bug to track that.
spun off the UI issue to bug #218030
drivers, do we want this for 1.4?
fixed in 1.5, removing security flag
Whiteboard: security → [sg:fix]
Comment on attachment 130702 [details] [diff] [review] updated patch a=mkaply for 1.4.2
Attachment #130702 - Flags: approval1.4.2+
Flags: blocking1.4.2? → blocking1.4.2+
verified XPI file names no longer push buttons out of view. NPWINMCIMIDI.xpi get's crunched to NPWIN....xpi
Status: RESOLVED → VERIFIED
Keywords: csec-spoof, sec-high
Whiteboard: security [sg:fix]
You need to log in before you can comment on or make changes to this bug.