advanced.mailftp (address as password) SHOULDN'T default ON (true)!

VERIFIED DUPLICATE of bug 55030

Status

P3
normal
VERIFIED DUPLICATE of bug 55030
19 years ago
14 years ago

People

(Reporter: bugzilla, Assigned: matt)

Tracking

Trunk
x86
Windows 98

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

19 years ago
In:
http://lxr.mozilla.org/seamonkey/source/modules/libpref/src/init/all.js#189

the pref:
pref("advanced.mailftp", true);

is defaulted to TRUE which means:
"Send email address as password to anonymouse FTP sites!"

Expected:
Is off per default!
(Assignee)

Comment 1

19 years ago
mail pref
Assignee: matt → chuang
->lchiang's group for qa.
QA Contact: sairuh → lchiang

Comment 3

19 years ago
sairuh - this pref has nothing to do with mail functionality.  It has to do with 
ftp functionality :-)
QA Contact: lchiang → sairuh

Comment 4

19 years ago
reassgin to mcafee since he's the author for pref-irc.xul which has 
"advanced.mailftp".
Assignee: chuang → mcafee

Comment 5

19 years ago
pref-irc.xul should be empty right now, this pref is also in:
http://lxr.mozilla.org/seamonkey/source/xpfe/components/prefwindow/resources/content/pref-advanced.xul#80
which makes this a mailnews bug.  Back to chuang.
Assignee: mcafee → chuang

Comment 6

19 years ago
I don't own pref-advanced.xul.  Mailnews doesn't use this pref.
Assignee: chuang → matt
(Assignee)

Updated

19 years ago
Status: NEW → ASSIGNED
Target Milestone: M15

Comment 7

19 years ago
4.x profiles migrated forward do not have this problem, as it was off by default 
there.

This would seem to merit being a beta 1 blocker, as this would be very bad PR 
for the project early on if "Mozilla Gives Out Your E-mail Address to Every FTP 
Site" gets splashed around in the media.

Comment 8

19 years ago
Move to M16 for now ...
Target Milestone: M15 → M16

Updated

19 years ago
Target Milestone: M16 → M18
(Reporter)

Comment 9

19 years ago
I still think this is important for moving to M18. Talk about bad security if 
your e-mail address is submitted to all FTP sites.

Comment 10

19 years ago
Bug 35317, "Option "Send email as anonymous ftp password" should not be on by 
default", has been made a DUP of RFE bug 17661, "RFE: pref for "Prompt to send 
e-mail address as FTP password""... creating such a pref, using it, and setting
it true by default would address this problem, but:

If that is to be a distinct pref, either bug 17761 needs to no longer be
an RFE, or advanced.mailftp also needs to default to false.

The other alternative, and this feels cleaner to me, would be to make
advanced.mailftp accept three states: "yes", "no", and "ask", corresponding to:

+-----FTP---------------------------------------------------+
| ( ) Send email address as FTP password                    |
| (*) Do not send email address as FTP password             |
| ( ) Ask before sending email address as FTP password      |
+-----------------------------------------------------------+

Note that anyone using MailNews (or whatever it will be called) as a primary
mail user agent does not have the option of using a null or bogus email
address to avoid leaking their real address to FTP sites. 
Summary: advanced.mailftp should NOT be true as default! → advanced.mailftp (address as password) SHOULDN'T default ON (true)!

Comment 11

19 years ago
Move to M21 target milestone.
Target Milestone: M18 → M21
over to tever (for ftp qa :-).
QA Contact: sairuh → tever
(Reporter)

Comment 13

19 years ago
Created attachment 10361 [details] [diff] [review]
Diff to fix worst part of problem...
(Reporter)

Updated

19 years ago
Keywords: patch

Comment 14

19 years ago
What happens when the pref is off?  Will we just send a random string, or will
we prompt the user?  A lot of users might be confused by the latter behavior,
since other browsers don't ask them for passwords on ftp sites, and if they
haven't used a command-line ftp client., they probably won't expect to have to
type a password.

Comment 15

18 years ago
Bug 55030 has the same patch and is rtm++.

*** This bug has been marked as a duplicate of 55030 ***
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → DUPLICATE
akk, we send a "random" string ("mozilla@").

Seems like this pref is never used.
<rant>
If it was, and I didn't file a new bug and fixed it, N6 would have shipped with
default on. Something like that must not happen. You need to care more about
your bugs.
</rant>
VERIFY DUP.
Status: RESOLVED → VERIFIED
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.