Don't use hard coded path names for system files on WinCE



12 years ago
8 years ago


(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: blassey)


Windows Mobile 6 Standard

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:investigate])

Every few years we need to revisit our entropy collection code in NSS and 
NSPR, to see if it is still adequate and if OS changes made since we last
visited it have lessened its effectiveness.  

Ben Goodger recently asked about how we gather entropy on Windows systems,
and so I took a look at it again for the first time since I worked on it
for WinCE (Pocket PC 2002) 4 years ago.  I didn't like what I found.  The 
good news is that this is not the only source of entropy on Windows systems.

Among the various sources examined for Windows, NSS looks through the files in 
\Windows\Temporary Internet Files  (recursively)
\Temp                          (non-recursively)
\Windows                       (non-recursively)

IIRC, those directories always existed on Win9x, WinME, WinCE, and WinNT, 
and maybe Win2k, but \Temp and \Windows\Temporary Internet Files don't 
always exist with WinXP.  In fact, they don't exist on this box from 
which I am now writing.  

Seems that Temporary Internet Files now commonly exists as a subdirectory of 
C:\Documents and Settings\<user>\Local Settings
and likewise Temp exists as a subdirectory of those same directories.
But in addition, there is a c:\windows\temp and a 
C:\windows\temp\Temporary Internet Files on my WinXP box.  

So, I'm thinking we should add 
C:\Documents and Settings\<user>\Local Settings\Temp       and 
C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files
to the lists of directories that NSS examines for entropy upon startup.  

I htink this bug should remain "security sensitive" until this is resolved.

Comment 1

12 years ago
fwiw, xpcom/io uses GetTempPathW / GetTempPathA to get the temp path.

it uses SHGetSpecialFolderLocation with SHGetPathFromIDListA 
Whiteboard: [sg:investigate]

Comment 2

12 years ago
Re-reading the sources, I see that the use of those hard-coded paths
is only for WinCE.  So maybe this aspect of this bug is a false alarm.

Comment 3

12 years ago
Narrowing scope of this bug to WinCE.
Will file another RFE for broader scope
Assignee: neil.williams → dougt
OS: Windows XP → Windows CE
Priority: -- → P3
Hardware: PC → PocketPC
Summary: Time for another periodic revisitation of NSS's entropy collection → Don't use hard coded path names for system files on WinCE

Comment 4

12 years ago
Actually one more note:  This PRNG seeding code was supposed to have
been moved from NSS to NSPR years ago, since it is platform dependent. 
I think that work was begun but perhaps not completed.  
Now might be a good time to complete that work.
This bug might be a good reason to do so.


12 years ago
QA Contact: alexei.volkov.bugs → libraries

Comment 5

10 years ago
not actively working on this, feel free to help yourself.
Assignee: doug.turner → nobody
OS: Windows CE → Windows Mobile 6 Standard
this was fixed in bug 466745
Last Resolved: 9 years ago
Resolution: --- → FIXED


9 years ago
Target Milestone: --- → 3.12.3


9 years ago
Assignee: nobody → bugmail
Group: core-security
You need to log in before you can comment on or make changes to this bug.