Closed Bug 21559 Opened 25 years ago Closed 25 years ago

[SECURITY][DOGFOOD]XPI confirm buttons pushed off dlg if too many components

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect, P3)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Platform:
All
Other
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: dveditz, Assigned: dbragg)

Details

(Whiteboard: [PDT+]Fix in hand)

When components are added to the XPI confirmation dialog each component pushes the buttons down a line, and eventually off the dialog (see the commercial "update.html" page for an example). When this happens the user can do nothing but close the dialog, which due to another bug (21558) means the user can only *approve* the install. This is a huge security risk--a malicious person could trigger a multi-install with enough padding to force the user to accept the install. If the download were small enough the user might not be able to kill Mozilla or the connection in time to stop it. This is *further* compounded by the fact that the "cancel" button on the subsequent download dialog causes the dialog to go away, but does NOT halt the install -- giving the user the impression they have done enough to protect themselves.
Target Milestone: M12
Status: NEW → ASSIGNED
Accepting. I've got a simple fix for the "close" part of this bug. I'm working on either getting a scroll bar for the tree control or making the dialog expand with the input.
Whiteboard: [PDT-]
Putting on PDT- radar. You should install the whole thing, no piece meal.
Whiteboard: [PDT-] → Fix in hand
This has nothing to do with *our* installs or how we deliver dogfood. This is a SECURITY HOLE that others can exploit to install and run viruses or trojans on your machine. We have a fix
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Fixed using a new skin file that lays out the tree control. The control now uses scroll bars if there are more then 6 triggers in one multiple trigger. If it is determined that more than 6 should be visible, we can easily change it in the future.
Whiteboard: Fix in hand → [PDT+]Fix in hand
Putting on PDT+ radar.
Status: RESOLVED → VERIFIED
Build 1999-12-14-09-M12(WIN), 1999-12-14-08-M12(MAC), 1999-12-14-11-M12(LINUX) All is well. Open http://jimbob/jars/f_multitrigger_lotsa.html. This test is only for testing the confirmation dialog.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.