Closed Bug 804971 Opened 8 years ago Closed 8 years ago
Thunderbird Installer can run untrusted program
See Bug 770478, the installer should quote the string around the path to actually launch Thunderbird and not something else.
Rob, could you just check this for correctness? I think the shared.nsh changes are right but we just haven't ported bug 716045 yet.
Attachment #674618 - Flags: review?(robert.bugzilla)
Comment on attachment 674618 [details] [diff] [review] The fix Looks good
Attachment #674618 - Flags: review?(robert.bugzilla) → review+
Comment on attachment 674618 [details] [diff] [review] The fix [Triage Comment] Ok, as this has unfortunately been long revealed, we're going to take it in the releases we're doing this week and get it fixed.
https://hg.mozilla.org/comm-central/rev/477e78b3b2cb https://hg.mozilla.org/releases/comm-aurora/rev/6726e97a0d3c https://hg.mozilla.org/releases/comm-beta/rev/18f28032dc59 https://hg.mozilla.org/releases/comm-release/rev/234a03980b2b The esr patch doesn't have the https://hg.mozilla.org/releases/comm-esr10/rev/6c5e9520517a
Also pushed to the relbranch for 10.0.10esr: https://hg.mozilla.org/releases/comm-esr10/rev/dbd298bf5c74 I've also verified the fix on the trunk builds with the str in bug 770478 comment 6.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.