In: http://lxr.mozilla.org/seamonkey/source/modules/libpref/src/init/all.js#189 the pref: pref("advanced.mailftp", true); is defaulted to TRUE which means: "Send email address as password to anonymouse FTP sites!" Expected: Is off per default!
Assignee: matt → chuang
->lchiang's group for qa.
QA Contact: sairuh → lchiang
sairuh - this pref has nothing to do with mail functionality. It has to do with ftp functionality :-)
QA Contact: lchiang → sairuh
reassgin to mcafee since he's the author for pref-irc.xul which has "advanced.mailftp".
Assignee: chuang → mcafee
pref-irc.xul should be empty right now, this pref is also in: http://lxr.mozilla.org/seamonkey/source/xpfe/components/prefwindow/resources/content/pref-advanced.xul#80 which makes this a mailnews bug. Back to chuang.
Assignee: mcafee → chuang
I don't own pref-advanced.xul. Mailnews doesn't use this pref.
Assignee: chuang → matt
4.x profiles migrated forward do not have this problem, as it was off by default there. This would seem to merit being a beta 1 blocker, as this would be very bad PR for the project early on if "Mozilla Gives Out Your E-mail Address to Every FTP Site" gets splashed around in the media.
Move to M16 for now ...
Target Milestone: M15 → M16
I still think this is important for moving to M18. Talk about bad security if your e-mail address is submitted to all FTP sites.
Bug 35317, "Option "Send email as anonymous ftp password" should not be on by default", has been made a DUP of RFE bug 17661, "RFE: pref for "Prompt to send e-mail address as FTP password""... creating such a pref, using it, and setting it true by default would address this problem, but: If that is to be a distinct pref, either bug 17761 needs to no longer be an RFE, or advanced.mailftp also needs to default to false. The other alternative, and this feels cleaner to me, would be to make advanced.mailftp accept three states: "yes", "no", and "ask", corresponding to: +-----FTP---------------------------------------------------+ | ( ) Send email address as FTP password | | (*) Do not send email address as FTP password | | ( ) Ask before sending email address as FTP password | +-----------------------------------------------------------+ Note that anyone using MailNews (or whatever it will be called) as a primary mail user agent does not have the option of using a null or bogus email address to avoid leaking their real address to FTP sites.
Summary: advanced.mailftp should NOT be true as default! → advanced.mailftp (address as password) SHOULDN'T default ON (true)!
Move to M21 target milestone.
Target Milestone: M18 → M21
over to tever (for ftp qa :-).
QA Contact: sairuh → tever
What happens when the pref is off? Will we just send a random string, or will we prompt the user? A lot of users might be confused by the latter behavior, since other browsers don't ask them for passwords on ftp sites, and if they haven't used a command-line ftp client., they probably won't expect to have to type a password.
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → DUPLICATE
akk, we send a "random" string ("mozilla@"). Seems like this pref is never used. <rant> If it was, and I didn't file a new bug and fixed it, N6 would have shipped with default on. Something like that must not happen. You need to care more about your bugs. </rant>
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.