Closed Bug 388192 Opened 13 years ago Closed 13 years ago

Remove gopher OS integration support

Categories

(Firefox :: Shell Integration, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
Firefox 3 beta1

People

(Reporter: robert.strong.bugs, Assigned: robert.strong.bugs)

References

()

Details

Attachments

(3 obsolete files)

This will remove a potential attack vector as seen with
http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/

This bug is not about removing the gopher protocol entirely
Attached patch Windows patch (checked in) (obsolete) — Splinter Review
I'm not going to do the Mac OS X or Linux patches at this time but I'd like to get the Windows one in.
Attachment #272369 - Flags: review?(sspitzer)
Attachment #272369 - Flags: review?(sspitzer) → review+
Nomin for security reasons
Flags: blocking-firefox3?
If someone more familiar with OS integration on Mac OS X and Linux would create patches for them I'd be a happy camper.

Windows patch checked in to trunk.

Checking in mozilla/browser/components/shell/src/nsWindowsShellService.cpp;
/cvsroot/mozilla/browser/components/shell/src/nsWindowsShellService.cpp,v  <--  nsWindowsShellService.cpp
new revision: 1.48; previous revision: 1.47
done
Checking in mozilla/browser/installer/windows/nsis/shared.nsh;
/cvsroot/mozilla/browser/installer/windows/nsis/shared.nsh,v  <--  shared.nsh
new revision: 1.11; previous revision: 1.10
done
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
oops! didn't mean to resolve this yet
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #272369 - Attachment description: Windows patch → Windows patch (checked in)
Attachment #272369 - Attachment is obsolete: true
Attached patch patch for Mac OS X (obsolete) — Splinter Review
Not sure if additional cleanup is required.
Attachment #272691 - Flags: review?(sspitzer)
Attached patch patch for Linux (checked in) (obsolete) — Splinter Review
Not sure if additional cleanup is required.
Comment on attachment 272691 [details] [diff] [review]
patch for Mac OS X

I discussed this change with Josh and since we already don't register as the default gopher handler on Mac OS X there should be no additional cleanup needed.
http://lxr.mozilla.org/seamonkey/source/browser/components/shell/src/nsMacShellService.cpp#151
Comment on attachment 272691 [details] [diff] [review]
patch for Mac OS X

sorry for the delay.

r=sspitzer, given that you discussed it with josh.
Attachment #272691 - Flags: review?(sspitzer) → review+
Comment on attachment 272691 [details] [diff] [review]
patch for Mac OS X

Mac OS X patch checked in to trunk

Checking in mozilla/browser/app/macbuild/Contents/Info.plist.in;
/cvsroot/mozilla/browser/app/macbuild/Contents/Info.plist.in,v  <--  Info.plist.in
new revision: 1.16; previous revision: 1.15
done
Attachment #272691 - Attachment is obsolete: true
OS: Windows Vista → All
Hardware: PC → All
Flags: blocking-firefox3? → blocking-firefox3+
Target Milestone: --- → Firefox 3 M7
Punting to M8 for the Linux piece to get finished up.
Target Milestone: Firefox 3 M7 → Firefox 3 M8
caillon, is there any additional cleanup needed if the application was set as the default gopher handler?
Target Milestone: Firefox 3 M8 → Firefox 3 M9
Whiteboard: need answer to comment 24
Linux patch checked in on trunk

Checking in mozilla/browser/components/shell/src/nsGNOMEShellService.cpp;
/cvsroot/mozilla/browser/components/shell/src/nsGNOMEShellService.cpp,v  <--  nsGNOMEShellService.cpp
new revision: 1.21; previous revision: 1.20
done
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
Whiteboard: need answer to comment 24
Attachment #272692 - Attachment description: patch for Linux → patch for Linux (checked in)
Attachment #272692 - Attachment is obsolete: true
Flags: in-litmus?
wow. this is a great idea. remove attack vectors by removing protocols. So did mozilla with thunderbird: they just "removed" smtp from mozilla. No thunderbird --> no --> smtp --> no attack vectors. I hope that the next logical step is to remove http. No http --> no people coming up with that stupid ideas. An yeah: Big thanks to the endless efforts of Jan Ruzicka for fixing the gopher protocol for for Firefox 2.0 just to seeing it removed from the browser right now.
I disagree on removal. I run gopher servers daily and mozilla firefox/mozilla is only browser that is wide spread and supports it. Please dont make the wrong move.
Other wise i will have to recommend users who visit my site to use lynx or "my gcc4 fixed" version of Mosaic which i dont see so safe. Besides gopher is a fast and good protocol

-Mikko Kortelainen
gopher://xnet.fi
http://xnet.fi
I'm starting to wonder if you guys have gone completely insane.
You're talking about the kind of decisions marketing and engineering specialists make in Microsoft or Apple headquarters...

Removing an integration feature in order to remove an attack vector?
This must be a joke..
Especially considering the bug is in Safari for Windows, not Firefox :/
Especially since the vast vast majority of users never even use gopher... meh
You need to log in before you can comment on or make changes to this bug.