Closed
Bug 375898
Opened 18 years ago
Closed 10 years ago
[meta] Places security review
Categories
(Firefox :: Bookmarks & History, defect)
Firefox
Bookmarks & History
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: moco, Unassigned)
References
()
Details
(Keywords: meta, sec-other, Whiteboard: [sg:nse meta])
after investigating moz-anno urls (which are not accessible by content, kudos to the original places team), Myk writes: "we should do a Places security review at some point as a team to help root out and verify any other potential vulnerabilities."
firefox 3 will include a lot of code we've never shipped in a final release before (mozilla/toolkit/components/places and mozilla/browser/components/places), so we should do formal review.
|
||
Updated•18 years ago
|
Flags: blocking-firefox3?
|
||
Comment 1•18 years ago
|
||
Window, how do you want to do this?
Flags: blocking-firefox3? → blocking-firefox3+
OS: Windows XP → All
Hardware: PC → All
|
||
Updated•18 years ago
|
Target Milestone: --- → Firefox 3 beta1
|
Reporter | |
Comment 2•18 years ago
|
||
I had looked at the SQL statements we passed to execute() to make sure we always used bind parameters, to prevent SQL injection attacks. I think we are pretty good, but we should audit the code more carefully.
we do have code where we build up the statement with AppendInt() instead of using bind parameters, though.
|
||
Updated•18 years ago
|
Target Milestone: Firefox 3 M7 → Firefox 3 M8
|
|
||
Comment 3•18 years ago
|
||
The onsite next week would be a good time to get this started. Window/dveditz, would either of you be up for meeting then? If we don't have any process in place for formal internal sec. reviews, maybe we could write it as we go, so it could be re-used.
|
|
||
Comment 4•18 years ago
|
||
dolske is supposed to have an updated template for the design/security review stuff...
|
||
Comment 5•18 years ago
|
||
For the password manager review, I used the template Schrep recently updated:
http://wiki.mozilla.org/Firefox3/Feature_Plan_Template
|
|
||
Comment 6•18 years ago
|
||
Dietrich, can you take point on getting this slated for sometime next week/the week after? I don't think this blocks M8, but needs to be complete and have issues addressed by M9
Assignee: nobody → dietrich
Target Milestone: Firefox 3 M8 → Firefox 3 M9
|
|
||
Comment 7•18 years ago
|
||
discussed w/ mconnor, moving to M10.
Status: NEW → ASSIGNED
Target Milestone: Firefox 3 M9 → Firefox 3 M10
|
|
||
Updated•18 years ago
|
Priority: -- → P1
|
|
||
Comment 8•17 years ago
|
||
The security review occurred on Tuesday, November 28th at 12pm PST. In attendance: mconnor, window, dveditz, jesse ruderman, ryan flint, johnath, seth spitzer, dietrich, justin dolske. (am i missing anyone?)
The notes are available here:
http://wiki.mozilla.org/Places:SecurityReview#Notes
I'll file all issues brought up as bugs, making them dependent on this bug, and will retarget this bug for M11 in order to track the follow-up bugs.
|
|
||
Updated•17 years ago
|
|
|
||
Updated•17 years ago
|
Priority: P1 → P2
|
||
Comment 9•17 years ago
|
||
(In reply to comment #8)
> The security review occurred on Tuesday, November 28th at 12pm PST. In
> attendance: mconnor, window, dveditz, jesse ruderman, ryan flint, johnath, seth
> spitzer, dietrich, justin dolske. (am i missing anyone?)
me!
|
||
Comment 10•17 years ago
|
||
timr and I attended...
|
|
||
Updated•17 years ago
|
Target Milestone: Firefox 3 beta3 → Firefox 3 beta4
|
|
||
Updated•17 years ago
|
Summary: Places security review → [meta] Places security review
|
|
||
Updated•17 years ago
|
Target Milestone: Firefox 3 beta4 → Firefox 3
|
|
||
Comment 11•17 years ago
|
||
the issues that are considered blocking are already on the blocker list, and there's nothing here that's sensitive, so, opening, and culling from the list.
Group: security
Flags: blocking-firefox3+ → blocking-firefox3-
|
|
||
Updated•17 years ago
|
Target Milestone: Firefox 3 → ---
|
|
||
Updated•16 years ago
|
Assignee: dietrich → nobody
|
||
Updated•16 years ago
|
Status: ASSIGNED → NEW
|
||
Comment 12•15 years ago
|
||
Bug 451915 - move Firefox/Places bugs to Firefox/Bookmarks and History. Remove all bugspam from this move by filtering for the string "places-to-b-and-h".
In Thunderbird 3.0b, you do that as follows:
Tools | Message Filters
Make sure the correct account is selected. Click "New"
Conditions: Body contains places-to-b-and-h
Change the action to "Delete Message".
Select "Manually Run" from the dropdown at the top.
Click OK.
Select the filter in the list, make sure "Inbox" is selected at the bottom, and click "Run Now". This should delete all the bugspam. You can then delete the filter.
Gerv
Component: Places → Bookmarks & History
QA Contact: places → bookmarks
|
||
Updated•10 years ago
|
Priority: P2 → --
|
|
||
Comment 13•10 years ago
|
||
security review for firefox 3, outdated now. There is only one item left, but we pay a lot of attention in proper queries binding so that doesn't worry me.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•