The default bug view has changed. See this FAQ.

consider builder newsgroup link in a safer way

RESOLVED FIXED in Thunderbird 22.0

Status

Thunderbird
Mail Window Front End
RESOLVED FIXED
8 years ago
4 years ago

People

(Reporter: Magnus Melin, Assigned: Magnus Melin)

Tracking

Thunderbird 22.0

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

8 years ago
+++ This bug was initially created as a clone of Bug #519118 comment 2 +++

In general, this looks good.  However, from a security standpoint, Newsgroups
originally comes from an untrusted source (the message).  Now, if there are no
bugs in the rest of our code, we'll be fine constructing the URL using strings
like this.  However, it's better to have defense in depth.  Ideally, we'd build
up the URL object using nsIURI attribute setters on an nsStandardURL object so
that it enforces all the right escaping.  Assuming nsStandardURL supports that
mode of use, please do that, and request review from again.  If not, please
file a bug on nsStandardURL and we'll live with the string construction for
now, so r+ing now for that case.
(Assignee)

Comment 1

4 years ago
Created attachment 728608 [details] [diff] [review]
proposed fix

I guess this would be the standard way to make sure the url is ok.
Attachment #728608 - Flags: review?(mbanner)
(Assignee)

Updated

4 years ago
Status: NEW → ASSIGNED
Comment on attachment 728608 [details] [diff] [review]
proposed fix

Review of attachment 728608 [details] [diff] [review]:
-----------------------------------------------------------------

::: mail/base/content/msgHdrViewOverlay.js
@@ +1725,3 @@
>    let url;
>    if (server.socketType != Components.interfaces.nsMsgSocketType.SSL) {
>      url = "news://" + server.hostName;

This lot feels like it is begging for a utility function, unfortunately I don't think we have one, and we wouldn't be able to share it easily anyway (due to historical mailnews issues). Oh well.
Attachment #728608 - Flags: review?(mbanner) → review+
(Assignee)

Comment 3

4 years ago
https://hg.mozilla.org/comm-central/rev/b411f5facb9b -> FIXED
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 22.0
You need to log in before you can comment on or make changes to this bug.