Closed
Bug 264265
Opened 21 years ago
Closed 21 years ago
Don't launch helper apps by default (back out bug 223333)
Categories
(Firefox :: Shell Integration, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: dveditz, Assigned: dveditz)
References
Details
(Keywords: fixed-aviary1.0, late-l10n)
bug 223333 added a bunch of default mime types that Firefox will happily pass on
to external helper apps without asking the user. Most of the standard helper
apps for those types have had announced security exploits (e.g. PDF had an
unpatched exploit announced today).
We can assume that any complex program contains bugs, do we really want to add
another unknown pile of exploits to our default exposure. Sure, people who use
those types regularly will be inconvenienced by the prompt dialog until they
save the "don't ask" setting, at which point they become vulnerable. But this
still helps us because
- we're not vulnerable out of the box (PR aspect)
- anyone who never uses particular types would not be vulnerable.
- users who choose "don't ask" are vulnerable, but at their choice
(perhaps poorly understood, but they may remember that action should
they hear of an attack making the rounds)
- given only a fraction of our user base vulnerable, attackers may not
bother developing certain exploits against our users.
Assignee | ||
Updated•21 years ago
|
Flags: blocking-aviary1.0mac?
Flags: blocking-aviary1.0?
Assignee | ||
Comment 3•21 years ago
|
||
This file has been moved under mozilla/browser/locales/en-US -- so it'll have
localization impact to change it. CC'ing bsmedberg
Latest word from Ben (G) was to empty the file rather than remove the
alwaysAsk=false. Hopefully that will have less impact on l10n.
Flags: blocking-aviary1.0+ → blocking-aviary1.0?
Comment 4•21 years ago
|
||
a=me for any security-related changes to these files, as long as you give
instructions to npm.l10n what they ought to do.
Assignee | ||
Comment 5•21 years ago
|
||
Checked in empty default mimeTypes.rdf for mac and win (unix was already empty).
l10n folks can just copy the US files, there is no localizable text in them anymore.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Updated•21 years ago
|
Comment 6•21 years ago
|
||
tested with 2004102009-0.9+ on linux fc2 and 2004102007-0.9+ on mac os x 10.3.5:
so far this looks good. Clicked various links (.doc for Word, .xls for Excel,
.ppt for Powerpoint) and got prompted with the helper application ("opening
<filename>") dialog each time.
Comment 7•21 years ago
|
||
also vrfy'd fixed on WinXP sp1 with 2004102007-0.9+.
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 8•21 years ago
|
||
*** Bug 243127 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•