Closed
Bug 801704
Opened 12 years ago
Closed 12 years ago
Remove permission checks and use the mozPermissionSettings instead
Categories
(Firefox OS Graveyard :: Gaia, defect, P1)
Tracking
(blocking-basecamp:+, firefox-esr10 unaffected, firefox-esr17 unaffected, b2g18 fixed)
RESOLVED
FIXED
| blocking-basecamp | + |
| Tracking | Status | |
|---|---|---|
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | fixed |
People
(Reporter: fabrice, Assigned: etienne)
Details
(Keywords: sec-critical, Whiteboard: [qa-])
Attachments
(1 file)
|
2.30 KB,
patch
|
gwagner
:
review+
|
Details | Diff | Splinter Review |
Currently Gaia does some permission checks just by looking for permissions in the manifests. This does not take into account the privilege level of the app so any app asking for a permission gets it.
I think that's pretty bad.
|
Reporter | |
Updated•12 years ago
|
blocking-basecamp: --- → ?
|
||
Updated•12 years ago
|
Severity: normal → critical
blocking-basecamp: ? → +
Priority: -- → P1
|
||
Comment 1•12 years ago
|
||
Isn't this part of the security model in the process of being implemented? This could be a known problem filed elsewhere. But if it's not, yeah, it needs to be fixed.
Keywords: sec-critical
|
Assignee | |
Comment 2•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1)
> Isn't this part of the security model in the process of being implemented?
> This could be a known problem filed elsewhere. But if it's not, yeah, it
> needs to be fixed.
It's really gaia specific I don't think it's linked to anything else.
BTW, ff nobody comes first I'll probably get to it early next week.
Gaia should never do permission checks. That's like one criminal frisking another criminal.
What's this being done for?
|
|
Assignee | |
Comment 4•12 years ago
|
||
(In reply to Chris Jones [:cjones] [:warhammer] from comment #3)
> Gaia should never do permission checks. That's like one criminal frisking
> another criminal.
>
> What's this being done for?
Attention screen and background services, your favorites Gaia hacks :)
So yep, it's a matter of making the sms app use system messages (which apparently isn't going to happen for v1 :/) and moving the attention screen permission check in gecko.
(In reply to Etienne Segonzac (:etienne) from comment #4)
> So yep, it's a matter of making the sms app use system messages (which
> apparently isn't going to happen for v1 :/)
Erm, that's news to me! But let's carry on that discussion elsewhere.
Assignee: nobody → etienne
|
||
Updated•12 years ago
|
Severity: critical → normal
|
|
Assignee | |
Comment 6•12 years ago
|
||
Attachment #675148 -
Flags: review?(anygregor)
|
||
Updated•12 years ago
|
Attachment #675148 -
Flags: review?(anygregor) → review+
|
|
Assignee | |
Comment 7•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
|
||
Updated•12 years ago
|
Whiteboard: [qa-]
|
|
||
Updated•12 years ago
|
status-firefox-esr17:
--- → unaffected
|
|
||
Updated•12 years ago
|
status-b2g18:
--- → fixed
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•