We should ensure that canon.exec() or canon.addCommand() performs the required wrapping to ensure that the correct privileges are used at all times.
This is not considered a "security issue" right now because:
- "Many users" are not using this code
- The only commands that exist don't do much of any note
This issue should be fixed before any significant number of users begin testing it.
Did this feature go through security review when it first landed? If not, it'd probably be a good idea to have it do that regardless now.
(In reply to comment #0)
> command.exec();. It is likely that this represents a security problem in some
I have not yet looked at the patch, but, You will have to execute these commands in a sandbox, just like the existing command line.
(In reply to comment #1)
> Did this feature go through security review when it first landed? If not, it'd
> probably be a good idea to have it do that regardless now.
It's not landed yet.
My current thinking is that it would be good if we can have the command line execute with chrome privs, protecting it from page resources, rather than the other way around (i.e. executing with page privs, Sandboxed from chome resources).
Not sure if that's possible.
Jesse - Are you best person to talk to about getting this command line feature reviewed?
curtisk has been organizing security reviews lately.
Review TBD added to sec team review radar https://wiki.mozilla.org/Security/Radar/Active#Firefox:_In_Progress
Bug 664693 tracks the documenting of the commands.
Bug 664696 tracks the reviewing of the commands by mrbkap
The notes from the etherpad have gone - will they be published anywhere?
I'd like to close this bug now - any objections?
mrbkap is supposed to review the wrapper implementation
security team will review the list of commands
Notes are posted here: https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/GCLI
I've added the bugs I raised to the wiki page - thanks for posting that.
I'll close this bug tomorrow unless anyone complains.
Marking verified because there is no UI proof that the bug is fixed. The proof is in the comments above.