Closed
Bug 503220
Opened 15 years ago
Closed 5 years ago
The update.locale file is readable from script via resource:///
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gfleischer+bugzilla, Unassigned)
Details
(Keywords: privacy)
Attachments
(1 file)
1.70 KB,
text/html
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1pre) Gecko/20090708 Shiretoko/3.5.1pre The update.locale file contains the locale for the installation. This file is new for Firefox 3.5. By loading the update.locale file as script, the locale of the browser can be determined. For users that have modified their user-agent string to mask their actual locale, this behavior may reduce their privacy. Reproducible: Always
Reporter | ||
Comment 1•15 years ago
|
||
example demonstrating that resource:///upate.locale is readable via script.
Comment 2•15 years ago
|
||
It is a bit concerning that we have any local file that can be read off disk, but I'm not sure we advertise the ability to completely hide or obscure locale as a feature. That might be a job for security/privacy/web developer addons that do such things. I wonder what happens if the file is modified or just removed altogether?
Comment 3•15 years ago
|
||
update.locale added as part of https://bugzilla.mozilla.org/show_bug.cgi?id=488936
Comment 4•15 years ago
|
||
so looking at http://mxr.mozilla.org/mozilla1.9.1/source/toolkit/mozapps/update/src/nsUpdateService.js.in it seems like it wouldn't be a good idea or serve much purpose for user agent/locale spoofing addons to be changing this file just to preserve obscurity of the locale. that might create real problems with an update of one locale clobbering another. that would be unexpected behavior for a simple user agent/locale switcher. seems like the question should be more around if we can make this file only readable by chrome, and not content.
Comment 5•15 years ago
|
||
I suspect this can be fixed as it stands today by going with an ini file format as follows. [Update] locale=en-US Since the JavaScript keeps a list of possible locales to accomplish this I highly suspect that for all practical purposes this could also be accomplished (though it would require significantly more code) by looping through the possible locale list and trying to load the locale's jar file as a script.
Comment 6•15 years ago
|
||
I don't think it would require much more code. Just create a bunch of script elements like <script onload="foundlocale('en-US')" src="jar:resource:///chrome/en-US.jar!/"></script>
Comment 7•15 years ago
|
||
We can't "fix" this this without getting rid of the resource: loophole entirely (as talked about in bug 292789 comment 1), but that's likely to break a bunch of stuff.
Comment 8•15 years ago
|
||
A privacy problem for a minority -- most people advertise their correct locale -- but not a security vulnerability. unhiding bug.
Group: core-security
Comment 9•5 years ago
|
||
This doesn't work anymore; but we should confirm this file cannot be access by other means...
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•