Closed Bug 264265 Opened 18 years ago Closed 18 years ago

Don't launch helper apps by default (back out bug 223333)

Categories

(Firefox :: Shell Integration, defect)

Product:
Firefox
Component:
Shell Integration
Version:
1.0 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: dveditz, Assigned: dveditz)

References

Details

(Keywords: fixed-aviary1.0, late-l10n) 

bug 223333 added a bunch of default mime types that Firefox will happily pass on
to external helper apps without asking the user. Most of the standard helper
apps for those types have had announced security exploits (e.g. PDF had an
unpatched exploit announced today).

We can assume that any complex program contains bugs, do we really want to add
another unknown pile of exploits to our default exposure. Sure, people who use
those types regularly will be inconvenienced by the prompt dialog until they
save the "don't ask" setting, at which point they become vulnerable. But this
still helps us because
 - we're not vulnerable out of the box (PR aspect)
 - anyone who never uses particular types would not be vulnerable.
 - users who choose "don't ask" are vulnerable, but at their choice
   (perhaps poorly understood, but they may remember that action should
   they hear of an attack making the rounds)
 - given only a fraction of our user base vulnerable, attackers may not
   bother developing certain exploits against our users.
Flags: blocking-aviary1.0mac?
Flags: blocking-aviary1.0?
I can do the work given Ben's approval.
Assignee: bugs → dveditz
Blocks: 245380
ok,  lets remove the flag.
Flags: blocking-aviary1.0? → blocking-aviary1.0+
This file has been moved under mozilla/browser/locales/en-US -- so it'll have
localization impact to change it. CC'ing bsmedberg

Latest word from Ben (G) was to empty the file rather than remove the
alwaysAsk=false. Hopefully that will have less impact on l10n.
Flags: blocking-aviary1.0+ → blocking-aviary1.0?
a=me for any security-related changes to these files, as long as you give
instructions to npm.l10n what they ought to do.
Checked in empty default mimeTypes.rdf for mac and win (unix was already empty).

l10n folks can just copy the US files, there is no localizable text in them anymore.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: blocking-aviary1.0mac?
Flags: blocking-aviary1.0?
Keywords: fixed-aviary1.0, late-l10n
tested with 2004102009-0.9+ on linux fc2 and 2004102007-0.9+ on mac os x 10.3.5:
so far this looks good. Clicked various links (.doc for Word, .xls for Excel,
.ppt for Powerpoint) and got prompted with the helper application ("opening
<filename>") dialog each time.
also vrfy'd fixed on WinXP sp1 with 2004102007-0.9+.
Status: RESOLVED → VERIFIED
*** Bug 243127 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.