Closed Bug 309228 Opened 19 years ago Closed 19 years ago

Default prefs for blocking DOMParser in mailnews have a typo

Categories

(MailNews Core :: Security, defect)

Product:
MailNews Core
Component:
Security
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: mscott)

References

(
URL
)

Details

(Keywords: fixed1.8, verified1.7.13, Whiteboard: [sg:fix])

Attachments

(1 file)

the fix
1.06 KB, patch
jruderman
: review+
dveditz
: approval-aviary1.0.8+
dveditz
: approval1.7.13+
asa
: approval1.8b5+
Details | Diff | Splinter Review 
http://lxr.mozilla.org/mozilla/source/modules/libpref/src/init/all.js

285 // Restrictions on the DOM for mail/news - see bugs 66938 and [bug 84545]
286 pref("capability.policy.mailnews.sites", "mailbox: imap: news:");
...
346 pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
347 pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");

Those commas should be periods!  I don't know how bad a security hole this is.
Flags: blocking1.8b5?
Flags: blocking-aviary1.0.8?
Those prefs were added in bug 152701.  This might not be a security hole,
because I can't think of how you could use DOMParser for a wiretap-style exploit.
Blocks: 84545
I can change the commas to a period pretty easily :)
Assignee: nobody → mscott
Flags: blocking1.8b5? → blocking1.8b5+
Flags: blocking1.7.13?
Whiteboard: [sg:fix]
Attached patch the fixSplinter Review 

        Attachment #197121 -
        Flags: review?(jruderman)

    
  

        Attachment #197121 -
        Flags: review?(jruderman) → review+

    
  

        Attachment #197121 -
        Flags: superreview?

        Attachment #197121 -
        Flags: approval1.8b5?

    
  

        Attachment #197121 -
        Flags: superreview?

        Attachment #197121 -
        Flags: approval1.8b5?

    
  
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 197121 [details] [diff] [review]
the fix

wow bugzilla got messed up here quite badly.

        Attachment #197121 -
        Flags: superreview?

        Attachment #197121 -
        Flags: approval1.8b5?

    
    

    
  
Minimo contains a copy of the mailnews capability prefs.  I think that copy
should either stay in sync, or be removed if it's not used.

    
    

    
  
i will fix up the all.js for minimo.

    
    

    
  
Verified with Mac Thunderbird trunk build 2005-09-23-07-trunk
Status: RESOLVED → VERIFIED

    
  

        Attachment #197121 -
        Flags: approval1.8b5? → approval1.8b5+

    
  
Keywords: fixed1.8
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+

    
    

    
  
Comment on attachment 197121 [details] [diff] [review]
the fix

aviary101/moz17 landing approval: a=dveditz for drivers. Please add the fixed1.7.13 and fixed-aviary1.0.8 keywords when landed.

        Attachment #197121 -
        Flags: approval1.7.13+

        Attachment #197121 -
        Flags: approval-aviary1.0.8+

    
    

    
  
dveditz to check in for 1.0.8/1.7.13

    
  
Keywords: fixed-aviary1.0.8

    
    

    
  
Fix checked into aviary101/moz17 branches
Keywords: fixed1.7.13

    
    

    
  
v.fixed on 1.0.1 Aviary branch by code inspection with LXR: http://lxr.mozilla.org/aviary101branch/source/modules/libpref/src/init/all.js
Keywords: fixed-aviary1.0.8verified-aviary1.0.8
Flags: testcase-

    
    

    
  
verified on the 1.7 branch using inspection: http://lxr.mozilla.org/mozilla1.7/source/modules/libpref/src/init/all.js

Using Mozilla 1.7.13 Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060306. Adding keyword.
Keywords: fixed1.7.13verified1.7.13

    
    

    
  
Jay verified this fix (Comment 11) on the 1.0.1 aviary branch, so we should okay for Thunderbird 1.0.8.
Group: security
Product: Core → MailNews Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: