If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Make wholeText noAccess for mailnews

RESOLVED FIXED in Thunderbird 3.0b2

Status

MailNews Core
Security
RESOLVED FIXED
9 years ago
8 years ago

People

(Reporter: philor, Assigned: philor)

Tracking

({fixed1.9.1})

Trunk
Thunderbird 3.0b2
fixed1.9.1

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Assignee)

Description

9 years ago
Created attachment 349135 [details] [diff] [review]
Fix v.1

Followup to bug 458883 - one of the things Acid3 has given us is another way for ye olde wiretap exploit to get at the text you add when you forward a message (with JS enabled). If we somehow wind up with JS re-enableable and with CAPS working, we'll want to break wholeText.
Attachment #349135 - Flags: superreview?(bzbarsky)
Attachment #349135 - Flags: review?(bzbarsky)
Comment on attachment 349135 [details] [diff] [review]
Fix v.1

Whack!  Mole at 11!  ;)
Attachment #349135 - Flags: superreview?(bzbarsky)
Attachment #349135 - Flags: superreview+
Attachment #349135 - Flags: review?(bzbarsky)
Attachment #349135 - Flags: review+
(Assignee)

Comment 2

9 years ago
http://hg.mozilla.org/mozilla-central/rev/08917af7313d
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Assignee)

Comment 3

9 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f02b476e25ee
Keywords: fixed1.9.1
Target Milestone: --- → Thunderbird 3.0b2
Is there a manual test case that can be performed so this bug can be marked verified?
(Assignee)

Comment 5

8 years ago
Step one: comment out the call to shell->SetAllowJavascript in nsMsgContentPolicy::DisableJSOnMailNewsUrlDocshells and recompile.

Do you want step two?
(In reply to comment #5)
> Step one: comment out the call to shell->SetAllowJavascript in
> nsMsgContentPolicy::DisableJSOnMailNewsUrlDocshells and recompile.
> 
> Do you want step two?

Please give me all steps.
(Assignee)

Comment 7

8 years ago
Created attachment 379732 [details]
Perhaps ad hoc test mbox

Hard to say how good they'll be, since I'm away from a compiler to check, but in theory, keeping in mind that you've now made a dangerous program, start whichever of Thunderbird or SeaMonkey you built *with a new profile*, and create a News & Blogs account, which will create Local Folders for you without the risk of an email account. Close the program, save a copy of this attachment in Mail/Local Folders/ in your profile, edit (appdir)/greprefs/all.js, comment out the line this bug added, open the program, view the mail in the "wholeText" folder (with View - Message Body As - Original HTML), and if it successfully alerts the contents of the message body, you know the test is working, and you can close the program, reedit all.js to uncomment that line, reopen, review the email, and it should not alert the contents of the message body.
(In reply to comment #5)
> Step one: comment out the call to shell->SetAllowJavascript in
> nsMsgContentPolicy::DisableJSOnMailNewsUrlDocshells and recompile.
> 
I'm not sure what file this refers to.
(Assignee)

Comment 9

8 years ago
http://mxr.mozilla.org/comm-central/source/mailnews/base/src/nsMsgContentPolicy.cpp#729
You need to log in before you can comment on or make changes to this bug.