Closed Bug 806814 Opened 9 years ago Closed 8 years ago
We should call Set
Dll Directory("") in our NSIS installers as a precaution
+++ This bug was initially created as a clone of Bug #801853 +++ There is no known DLL injection call that would be fixed by calling SetDllDirectory(""), but it would be good practice to do so. SetDllDirectory("") helps only with LoadLibrary calls, so this isn't a blanket fix for all DLL injection attacks to the installer. In particular it doesn't help with implicitly linked DLLs. Leaving as security-sensitive for now in case there is a problem I don't know about. See also bug 792106
Directly ported from bug 801853. Robert, would you mind doing the review of this as you reviewed that patch?
Assignee: nobody → mbanner
Status: NEW → ASSIGNED
Attachment #735080 - Flags: review?(robert.bugzilla)
Attachment #735080 - Flags: review?(robert.bugzilla) → review+
Comment on attachment 735080 [details] [diff] [review] The fix [Triage Comment] As Thunderbird trunk is currently closed, I've landed this directly on beta as we're just about to build our one and only beta for this cycle. I'll leave open to land on trunk & aurora.
Attachment #735080 - Flags: approval-comm-aurora? → approval-comm-aurora+
Comment on attachment 735080 [details] [diff] [review] The fix [Triage Comment] a=me for ESR (although this is only moderate, 17 is our main releases at the moment).
Attachment #735080 - Flags: approval-comm-esr17+
You need to log in before you can comment on or make changes to this bug.