Closed Bug 465892 Opened 16 years ago Closed 16 years ago

Make wholeText noAccess for mailnews

Categories

(MailNews Core :: Security, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
Thunderbird 3.0b2

People

(Reporter: philor, Assigned: philor)

Details

(Keywords: fixed1.9.1)

Attachments

(2 files)

Attached patch Fix v.1Splinter Review
Followup to bug 458883 - one of the things Acid3 has given us is another way for ye olde wiretap exploit to get at the text you add when you forward a message (with JS enabled). If we somehow wind up with JS re-enableable and with CAPS working, we'll want to break wholeText.
Attachment #349135 - Flags: superreview?(bzbarsky)
Attachment #349135 - Flags: review?(bzbarsky)
Comment on attachment 349135 [details] [diff] [review]
Fix v.1

Whack!  Mole at 11!  ;)
Attachment #349135 - Flags: superreview?(bzbarsky)
Attachment #349135 - Flags: superreview+
Attachment #349135 - Flags: review?(bzbarsky)
Attachment #349135 - Flags: review+
http://hg.mozilla.org/mozilla-central/rev/08917af7313d
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f02b476e25ee
Keywords: fixed1.9.1
Target Milestone: --- → Thunderbird 3.0b2
Is there a manual test case that can be performed so this bug can be marked verified?
Step one: comment out the call to shell->SetAllowJavascript in nsMsgContentPolicy::DisableJSOnMailNewsUrlDocshells and recompile.

Do you want step two?
(In reply to comment #5)
> Step one: comment out the call to shell->SetAllowJavascript in
> nsMsgContentPolicy::DisableJSOnMailNewsUrlDocshells and recompile.
> 
> Do you want step two?

Please give me all steps.
Hard to say how good they'll be, since I'm away from a compiler to check, but in theory, keeping in mind that you've now made a dangerous program, start whichever of Thunderbird or SeaMonkey you built *with a new profile*, and create a News & Blogs account, which will create Local Folders for you without the risk of an email account. Close the program, save a copy of this attachment in Mail/Local Folders/ in your profile, edit (appdir)/greprefs/all.js, comment out the line this bug added, open the program, view the mail in the "wholeText" folder (with View - Message Body As - Original HTML), and if it successfully alerts the contents of the message body, you know the test is working, and you can close the program, reedit all.js to uncomment that line, reopen, review the email, and it should not alert the contents of the message body.
(In reply to comment #5)
> Step one: comment out the call to shell->SetAllowJavascript in
> nsMsgContentPolicy::DisableJSOnMailNewsUrlDocshells and recompile.
> 
I'm not sure what file this refers to.
You need to log in before you can comment on or make changes to this bug.