Closed Bug 405929 Opened 12 years ago Closed 11 years ago

ensure that JSON in copy/paste and drag/drop is not executable nor content-accessible

Categories

(Firefox :: Bookmarks & History, defect, P2)

defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: dietrich, Unassigned)

References

Details

(Whiteboard: [sg:investigate])

** If a script could inject JSON data in our format w/ our mime-type into the clipboard, and then get the user to paste while in the Places organizer, could get data into the db. kinda convoluted: no clipboard access, lots of soc. eng. required.
** Relying on crockford's sanitization code
** Will soon be using JSON for filesystem backup/restore
** Executes in a sandbox
Blocks: 375898
Since this is a dependency of bug 375898, marking P2 so it stays on our radar for Fx3 triage/tracking.
Flags: blocking-firefox3?
Priority: -- → P2
Target Milestone: --- → Firefox 3 beta4
Whiteboard: [sg:investigate]
This will not block the final release of Firefox 3.
Flags: wanted-firefox3+
Flags: blocking-firefox3?
Flags: blocking-firefox3-
Target Milestone: Firefox 3 beta4 → Firefox 3
We're using nsIJSON now. I do not know if or how this changes the security considerations here.
Target Milestone: Firefox 3 → ---
per Rob Sayre, nsIJSON implements per the spec, in section 15:

http://wiki.ecmascript.org/lib/exe/fetch.php?id=es3.1%3Aes3.1_proposal_working_draft&cache=cache&media=es3.1:tc39-es31-draft02march09_norevisionmarks.pdf

which explains how parsing of JSON does not execute anything.

the scenario brought up in the security review was parsing external JSON, and it looks like we should be ok on that front.

there were no scenarios brought up for stringification (eg: when copying/cutting bookmark or hostory data) during the review. if there's any risk from that, open a new bug.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Bug 451915 - move Firefox/Places bugs to Firefox/Bookmarks and History. Remove all bugspam from this move by filtering for the string "places-to-b-and-h".

In Thunderbird 3.0b, you do that as follows:
Tools | Message Filters
Make sure the correct account is selected. Click "New"
Conditions: Body   contains   places-to-b-and-h
Change the action to "Delete Message".
Select "Manually Run" from the dropdown at the top.
Click OK.

Select the filter in the list, make sure "Inbox" is selected at the bottom, and click "Run Now". This should delete all the bugspam. You can then delete the filter.

Gerv
Component: Places → Bookmarks & History
QA Contact: places → bookmarks
You need to log in before you can comment on or make changes to this bug.