Closed Bug 868939 Opened 11 years ago Closed 6 years ago

[ja] don't use <script> tag in localization

Categories

(Mozilla Localizations :: ja / Japanese, defect)

Product:
Mozilla Localizations
Component:
ja / Japanese
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: Pike, Unassigned)

Details

(Keywords: sec-audit)

Attachments

(2 files)

demo: new japanese about:mozilla
4.46 KB, application/xhtml+xml
Details
fix v1
7.70 KB, patch
Details | Diff | Splinter Review 
The Japanese version of about:mozilla re-introduced the use of a script tag.

I know that it used to do that for ever, and that the script itself is harmless, but in the end it just shows how easy it is for a locale to add malware.

Please find a localization that doesn't exploit that hole in our l10n setup.

Marking this bug as security confidential because it demonstrates a malware path. And yes, I did run an mxr query to check other locales, http://mxr.mozilla.org/l10n-mozilla-aurora/search?string=%3Cscript&find=.dtd%24&findi=&filter=^[^\0]*%24&hitlimit=&tree=l10n-mozilla-aurora.
Talked to dveditz. This particular bug does not merit anything higher than sec-moderate, but the problem of script tags in localized strings is serious, as about pages can have chrome privileges.
calling this sec-audit. we need either a tool or a process to check for this in locales.
Keywords: sec-audit
Attachment #763082 - Attachment mime type: application/octet-stream → application/xhtml+xml
Attached patch fix v1Splinter Review 

        Attachment #763125 -
        Flags: review?(l10n)

    
    

    
  
Comment on attachment 763125 [details] [diff] [review]
fix v1

Review of attachment 763125 [details] [diff] [review]:
-----------------------------------------------------------------

Matt, I think this is really something that the security group needs to comment on. Are you a good reviewer or should someone else do this?

It'd be really good to get a rationale for why this has to happen, too. Right now all we have is Japanese content and discussions, which at least I can't follow.

I understand that this gives some special local flavor, but I'm not convinced that this is a customization that localizations should do.

        Attachment #763125 -
        Flags: review?(l10n) → review?(mwobensmith)

    
    

    
  
Hi Axel, I'm not sure that I'm the appropriate person to review this. 

Who normally reviews this type of content?

As far as the issue itself, Dan Veditz has expressed that it needs more oversight, so perhaps he can weigh in more with regards to that.

    
    

    
  
This is a one-off situation, we don't have a review policy to build on.

Dan, what's your take?

    
    

    
  
I want to land firefox24. can you review new japanese about:mozilla ?

          tracking-firefox24:
          --- → ?

    
    

    
  
Flagging an explicit needinfo on Dan.
Flags: needinfo?(dveditz)

    
    

    
  
(In reply to ABE Hiroki (hATrayflood) from comment #8)
> I want to land firefox24. can you review new japanese about:mozilla ?

Given this is not a recent regression , unclear why we would track it for Fx24 specifically.

If this was nominated only for the purpose of landing; you can always request uplift approval on any bug.If the risk/reward justifies and depending on where we are in the cycle we'd approve it.

          tracking-firefox24:
          ? → ---

    
    

    
  
(In reply to bhavana bajaj [:bajaj] from comment #10)
> If this was nominated only for the purpose of landing; you can always
> request uplift approval on any bug.

No. The patch was posted and our l10n solution was suggested 2 months ago.
The remaining work is to review it and landing.
There is no reason to delay, if you haven't any consideration to forward this.

    
    

    
  
Hi Dan, can you address this? Thank you.

    
    

    
  
I have no idea what I'm being asked. I'm glad the <script> is being removed, and I don't see a /security problem/ with the CSS approach since it's not incorporating external content into the page. r+ for that much.

The text is clearly not just a translation of the English about:mozilla which seems a tad dodgy. Is that a precedent we want to set? Is the new text appropriate for the Mozilla "brand"? But that's not my call. Ideally we'd have someone on the product team who could read Japanese make that call. The Japanese version has quite a bit more about foxes than the English (which has none) but to the extent I could tell from Google translate mush it didn't look terribly out of line. Didn't understand the named references, but that's OK I'm sure a lot of Japanese people don't get the "Mammon" reference.
Flags: needinfo?(dveditz)
Group: core-security → firefox-core-security

    
    

    
  
Comment on attachment 763125 [details] [diff] [review]
fix v1

Review of attachment 763125 [details] [diff] [review]:
-----------------------------------------------------------------

Removing review request to me, as I'm not in a position to review this. I'm sorry that it has taken me so long to do so.

        Attachment #763125 -
        Flags: review?(mwobensmith)

    
    

    
  
This bug seems obsolete: problem is gone but looks like because the about:mozilla text was replaced with a newer English version rather than the translation being fixed.

I scanned dxr.mozilla.org/l10n-central/ and found no more unwanted uses of <script> at the current time.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Group: firefox-core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: