Closed Bug 254231 Opened 21 years ago Closed 11 years ago

Allow feeds from file://

Categories

(MailNews Core :: Feed Reader, enhancement)

Product:
MailNews Core
Component:
Feed Reader
Platform:
x86
All
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1569797

People

(Reporter: asqueella, Unassigned)

References

Details

Attachments

(1 file, 4 obsolete files)

updated
2.39 KB, patch
alta88
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040730 Firefox/0.9.1+ (best browser EVAR1!!) Build Identifier: version 0.7+ (20040730) Currently Thunderbird checks if the feed's URL is http: > if (!uri.schemeIs("http")) > return this.onParseError(this); // simulate an invalid feed error It would be great if Thunderbird allowed me read feeds from my hard drive without having to set up a local web server. Would be useful for testing TB's feed parser as well as creating own feeds. Also this could be used to deliver messages from local services to mail/rss client under Windows, which is currently impossible (afaik). If you think it's not needed, at least please isolate the check into a replacable function, say Feed.checkURL(), so that those who need this may just replace that function instead of changing TB code. (The reason for checking for http in the URL is: >This is just a sanity check so we don't try opening mailto urls, imap urls, etc. that the user may have tried to subscribe to as an rss feed..) Reproducible: Always Steps to Reproduce: 1. Add http://www.squarefree.com/burningedge/index.rdf feed. 2. Delete the feed (del, OK, del from trash) 3. Add the feed - http://www.squarefree.com/burningedge/index.rdf - again. Actual Results: The feed's items are no longer shown in the message view (at least most of them - one item appeared sometimes). Thanks in advance ;-)
Damn, the original bug report is messed up because of Firefox bugs regarding forms and Go back. Specifically it filled in blank textboxes with data from bug 254230. Please ignore the text after "Reproducible: Always" (except for Thanks in advance :-)
This also prevents reading of private rss feeds over https, maybe the line should read something like: if (!uri.schemeIs("http") && !uri.schemeIs("https") && !uri.schemeIs("file")) return this.onParseError(this); // simulate an invalid feed error Making the error a little more descriptive wouldn't hurt, but I don't know enough about the code to suggest a mechanism for that.
Blocks: 260837
Attached patch Allows file:// urls for feeds (obsolete) — Splinter Review
This seems to do it. My first patch... :)
Attachment #174873 - Flags: review?(mscott)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated the patch. Seems to work fine for ftp URLs too, so I made them allowed also.
Attachment #174873 - Attachment is obsolete: true
Attachment #190101 - Flags: review?(mscott)
Attachment #174873 - Flags: review?(mscott)
So will the patch enable also support for HTTPS feeds? Have somebody tested it? I need HTTPS protocol and HTTP authentication support in order to reed our companys internal RSS feeds.
Comment on attachment 190101 [details] [diff] [review] proposed fix. allows file and ftp feed urls I'm not sure I'm that keen about allowing ftp and file urls to run in this scenario. Maybe I'm just being paranoid from a security point of view and just need to think on this more.
Attachment #190101 - Flags: review?(mscott)
OS: Windows XP → All
QA Contact: rss
Assignee: mscott → nobody
Component: RSS → Feed Reader
Product: Thunderbird → MailNews Core
can anyone think of a real reason this shouldn't be implemented? (not sure how putting a file through a parser equals 'run'.. or how a remote file is in any way safer than a local file.) i implemented this locally, trying .exe and .dll and other stuff and it just throws invalid feed like any other malformed xml. if anything, it would make getting a testsuite infinitely easier, as mentioned above.
Same risks as with opening a web page locally. Scripts in the file can access other local files (at least below current path, can't recall what it's like nowadays) and send that data off to wherever it wants.
If we did this this would need to go thru a security review before landing
I would suggest asking for feedback from mozilla.dev.platform/mozilla.dev.security.
it was always possible, but it's now simpler to allow feed file:// url handling. the small function FileUtils.isValidScheme(aUri) can be overloaded to include "file". note that due to bug 740865, an incorrect file will throw and require a restart.
Attached patch patch (obsolete) — Splinter Review
[Security approval request comment] Security approval requested to perform Thunderbird feed subscriptions from file:// urls. This is an xhr get request on a file which should be a well formed feed (atom/rss syntax) xml file. The resulting parsing of this file creates a feed message in the same way a remote http:// document is handled; the file would not be loaded in a docshell eg.
Attachment #190101 - Attachment is obsolete: true
Attachment #752437 - Flags: sec-approval?
Attachment #752437 - Flags: review?(mkmelin+mozilla)
Comment on attachment 752437 [details] [diff] [review] patch Review of attachment 752437 [details] [diff] [review]: ----------------------------------------------------------------- I'm fine with this ::: mailnews/extensions/newsblog/content/Feed.js @@ +132,5 @@ > + // Need to check for the file's existence explicitly due to Bug 740865. > + let file; > + try { > + file = Services.io.newURI(uri.spec, null, null). > + QueryInterface(Ci.nsIFileURL).file; in these kind of cases dots should go on the new line, and then align the dots
Attachment #752437 - Flags: review?(mkmelin+mozilla) → review+
Comment on attachment 752437 [details] [diff] [review] patch Please don't set the sec-approval flag on patches that aren't security related. This isn't a security bug.
Attachment #752437 - Flags: sec-approval?
Attached patch updated (obsolete) — Splinter Review
updated for comments, added bad parse log message.
Assignee: nobody → alta88
Attachment #752437 - Attachment is obsolete: true
Attachment #752937 - Flags: sec-approval?
Attachment #752937 - Flags: review+
(In reply to Al Billings [:abillings] from comment #15) > Comment on attachment 752437 [details] [diff] [review] > patch > > Please don't set the sec-approval flag on patches that aren't security > related. This isn't a security bug. Then how is a security review initiated? Or are you saying such a review is unnecessary here?
Flags: needinfo?(abillings)
sec-approval isn't used for security review. Sec-approval is used when you want permission to check in a security bug. Please read the bug approval process and quit setting this flag on a non-security bug. https://wiki.mozilla.org/Security/Bug_Approval_Process
Flags: needinfo?(abillings)
Attachment #752937 - Flags: sec-approval?
Keywords: checkin-needed
Comment on attachment 752937 [details] [diff] [review] updated Review of attachment 752937 [details] [diff] [review]: ----------------------------------------------------------------- ::: mailnews/extensions/newsblog/content/Feed.js @@ +128,5 @@ > } > > + if (uri.schemeIs("file")) > + { > + // Need to check for the file's existence explicitly due to Bug 740865. Bug 740865 WFM so we can remove this.
Removing that file scheme check results in (win) for file://foo: Thu May 23 2013 12:15:21 Error: NS_ERROR_FAILURE: Failure Source file: chrome://messenger-newsblog/content/Feed.js Line: 177 for file:///foo: Thu May 23 2013 12:16:59 Error: NS_ERROR_FILE_UNRECOGNIZED_PATH: File error: Unrecognized path Source file: chrome://messenger-newsblog/content/Feed.js Line: 177 Tb24.0a1 comm-central pulled 2 days ago and a mozilla-central pulled about a week ago. As for Bug 740865, there was a discussion last fall about the Tb trains using gecko ESR, but it's not clear what the state is.
Maybe invalid path is the issue, like the message says. Tried file://C:/foobar ? (My succesful test was on linux.) I think those discussions were related to a possible intermediate release, something like "17.1", but those plans are dropped AFAIK. Trunk need to follow mozilla-central, otherwise we'd break pretty quickly.
Right, and that does work, but the point of Bug 740865 is to not ever throw on send() regardless of what the url is. In this case it's entered in a freeform text field.. Otherwise it has to be validated, like in the current patch. I would have thought so, thus it seems Bug 740865 isn't really fixed, since file:/ or file:foo will throw on send() and crash the dialog.
Attached patch updatedSplinter Review
Attachment #752937 - Attachment is obsolete: true
Attachment #754984 - Flags: review+
Flags: needinfo?(curtisk)
(In reply to alta88 from comment #23) > Created attachment 754984 [details] [diff] [review] > updated What info exactly are you needing from me?
Flags: needinfo?(curtisk)
Curtis does this need to go thru sec-review ?
Flags: needinfo?(curtisk)
I'll sec-review? and bring it up in triage to see what the team thinks
Flags: needinfo?(curtisk) → sec-review?
Flags: sec-review? → sec-review?(dveditz)
Flags: sec-review?(dveditz) → sec-review?
Flags: sec-review? → sec-review?(dveditz)
Flags: sec-review?(dveditz)
Flags: sec-review?
Flags: needinfo?(dveditz)
Flags: sec-review?(dveditz)
Flags: sec-review?
Flags: needinfo?(dveditz)
It would be extra extra great if we could finalize this in time for the Tb 24 major release, which branches on June 24.
Assignee: alta88 → nobody
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Since this was closed WONTFIX, cancelling sec-review
Flags: sec-review?(dveditz)

Finally fixed in bug 1569797.

Resolution: WONTFIX → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: