mail and news seems to cache permissions to allow file urls, going against permissions in user.js



12 years ago
12 years ago


(Reporter: fahlmanc_ca, Assigned: dveditz)


Firefox Tracking Flags

(Not tracked)





12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv: Gecko/20060404 SeaMonkey/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv: Gecko/20060404 SeaMonkey/1.0.1

Create an email that includes a file url to some file on your computer (say).   Send the email to your mail account.
Verify that the file url's link will be correctly disallowed (assuming you've not already created a rule to allow it).
Create a rule to allow file urls from your domain in user.js

user_pref("capability.policy.policynames", "localfilelinks");
user_pref("capability.policy.localfilelinks.sites", "mailbox://");
user_pref("capability.policy.localfilelinks.checkloaduri.enabled", "allAccess");


Click on the link in mail and news and note that the file url works.

erase "mailbox://" from user.js (and restart seamonkey if you like).

Open the email again, or send yourself another email with another file:// link, and click on the link. The link will open, despite there being no rule to allow it in user.js .

Reproducible: Always

Steps to Reproduce:
1.create permission in user.js to allow file link from mailbox domain "mailbox://"
2.verify that the file:// url in a mail works by clicking on it
3.(optionally, quit Seamonkey) erase the permission of the mailbox domain in user.js (and if you like, restart Seamonkey)
4.Click on a file:// url in a mail.
Actual Results:  
file link works.

Expected Results:  
File link should not work, and a permissions error should appear in the javascript window. "Security Error: Content at X may not load or link to Y".

I believe the software is somehow incorrectly caching the permission to view the file link in a mail message, and not reverifying whether permissions still exist in user.js .

Comment 1

12 years ago
This isn't just in mail and news either --> 

For instance I right now have the following rule:
user_pref("capability.policy.localfilelinks.sites", );

which should allow no file urls from any site, yet seamonkey is allowing file urls from mailbox:// and from my personal web page. I had earlier added the rule
user_pref("capability.policy.localfilelinks.sites", "mailbox:// http://mywebsite:port" );
then erased the two domains, yet seamonkey will allow file urls from those sites, even after clearing the cache or restarting the machine.


Comment 2

12 years ago
This bug is likely invalid.

After initially editing the user.js to add some allowed domains, the changes are added to prefs.js (but are not shown in about:config --> ). The good reasons for this behaviour are not mentioned in that bug 284673 although I'm sure they exist, but bug 337926 is an example of why the current behaviour might be considered bad, since it could easily lead users to believe that they had removed the capability settings (by editing user.js to remove the entries -- the only file they had originally edited to add them), since their is no evidence in the browser that the settings were ported to prefs.js and remain there ...

I'd also note that I'd initially tried to edit prefs.js to add these capability settings, but the changes were always overwritten, so I couldn't add them.


Last Resolved: 12 years ago
Resolution: --- → INVALID
you can edit prefs.js, but you have to do it when the client is shut down completely.
Group: security
You need to log in before you can comment on or make changes to this bug.