Closed Bug 246122 Opened 21 years ago Closed 21 years ago

Add bugzilla.mozilla.org to xpinstall blacklist

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: dveditz, Assigned: dveditz)

References

Details

(Whiteboard: [sg:fix])

Attachments

(1 file)

add to blacklist
801 bytes, patch
Details | Diff | Splinter Review
bug 240552 comment 59 raised the possibility of an attacker opening a whitelisted site in a frame and poking its DOM to launch an install. That shouldn't be possible due to the same-origin policy, but just about anybody could add an install-launching bugzilla attachment fairly anonymously and then load that in a frame/window.
Flags: blocking1.7?
Whiteboard: [sg:fix]
Attached patch add to blacklistSplinter Review
Not blocking 1.7--we're going to turn off the whitelisting for the release until we get some UI for it and we don't want bugzilla testcase attachments to mysteriously fail in the meanwhile.
Flags: blocking1.7? → blocking1.7-
Instead of having mozilla.org on the whitelist and the subdomain bugzilla.mozilla.org on the blacklist, how about having update.mozilla.org on the whitelist?
That's definitely what Ben's going to do for Firefox. I thought that was too restrictive, but maybe we'd only need updates.mozilla.org and ftp.mozilla.org for the suite. There are probably some test cases on www.mozilla.org, but testers could easily add that one themselves.
We don't need to fix this one as long as we don't whitelist mozilla.org. Currently the plan is to whitelist only update.mozilla.org
Group: security
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: