Closed
Bug 519252
Opened 15 years ago
Closed 11 years ago
consider builder newsgroup link in a safer way
Categories
(Thunderbird :: Mail Window Front End, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
Thunderbird 22.0
People
(Reporter: mkmelin, Assigned: mkmelin)
Details
Attachments
(1 file)
1.96 KB,
patch
|
standard8
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #519118 comment 2 +++ In general, this looks good. However, from a security standpoint, Newsgroups originally comes from an untrusted source (the message). Now, if there are no bugs in the rest of our code, we'll be fine constructing the URL using strings like this. However, it's better to have defense in depth. Ideally, we'd build up the URL object using nsIURI attribute setters on an nsStandardURL object so that it enforces all the right escaping. Assuming nsStandardURL supports that mode of use, please do that, and request review from again. If not, please file a bug on nsStandardURL and we'll live with the string construction for now, so r+ing now for that case.
Assignee | ||
Comment 1•11 years ago
|
||
I guess this would be the standard way to make sure the url is ok.
Attachment #728608 -
Flags: review?(mbanner)
Assignee | ||
Updated•11 years ago
|
Status: NEW → ASSIGNED
Comment 2•11 years ago
|
||
Comment on attachment 728608 [details] [diff] [review] proposed fix Review of attachment 728608 [details] [diff] [review]: ----------------------------------------------------------------- ::: mail/base/content/msgHdrViewOverlay.js @@ +1725,3 @@ > let url; > if (server.socketType != Components.interfaces.nsMsgSocketType.SSL) { > url = "news://" + server.hostName; This lot feels like it is begging for a utility function, unfortunately I don't think we have one, and we wouldn't be able to share it easily anyway (due to historical mailnews issues). Oh well.
Attachment #728608 -
Flags: review?(mbanner) → review+
Assignee | ||
Comment 3•11 years ago
|
||
https://hg.mozilla.org/comm-central/rev/b411f5facb9b -> FIXED
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 22.0
You need to log in
before you can comment on or make changes to this bug.
Description
•