Closed
Bug 868939
Opened 11 years ago
Closed 6 years ago
[ja] don't use <script> tag in localization
Categories
(Mozilla Localizations :: ja / Japanese, defect)
Mozilla Localizations
ja / Japanese
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: Pike, Unassigned)
Details
(Keywords: sec-audit)
Attachments
(2 files)
4.46 KB,
application/xhtml+xml
|
Details | |
7.70 KB,
patch
|
Details | Diff | Splinter Review |
The Japanese version of about:mozilla re-introduced the use of a script tag. I know that it used to do that for ever, and that the script itself is harmless, but in the end it just shows how easy it is for a locale to add malware. Please find a localization that doesn't exploit that hole in our l10n setup. Marking this bug as security confidential because it demonstrates a malware path. And yes, I did run an mxr query to check other locales, http://mxr.mozilla.org/l10n-mozilla-aurora/search?string=%3Cscript&find=.dtd%24&findi=&filter=^[^\0]*%24&hitlimit=&tree=l10n-mozilla-aurora.
Comment 1•11 years ago
|
||
Talked to dveditz. This particular bug does not merit anything higher than sec-moderate, but the problem of script tags in localized strings is serious, as about pages can have chrome privileges.
Comment 2•11 years ago
|
||
calling this sec-audit. we need either a tool or a process to check for this in locales.
Keywords: sec-audit
Comment 3•11 years ago
|
||
Updated•11 years ago
|
Attachment #763082 -
Attachment mime type: application/octet-stream → application/xhtml+xml
Comment 4•11 years ago
|
||
Attachment #763125 -
Flags: review?(l10n)
Reporter | ||
Comment 5•11 years ago
|
||
Comment on attachment 763125 [details] [diff] [review] fix v1 Review of attachment 763125 [details] [diff] [review]: ----------------------------------------------------------------- Matt, I think this is really something that the security group needs to comment on. Are you a good reviewer or should someone else do this? It'd be really good to get a rationale for why this has to happen, too. Right now all we have is Japanese content and discussions, which at least I can't follow. I understand that this gives some special local flavor, but I'm not convinced that this is a customization that localizations should do.
Attachment #763125 -
Flags: review?(l10n) → review?(mwobensmith)
Comment 6•11 years ago
|
||
Hi Axel, I'm not sure that I'm the appropriate person to review this. Who normally reviews this type of content? As far as the issue itself, Dan Veditz has expressed that it needs more oversight, so perhaps he can weigh in more with regards to that.
Reporter | ||
Comment 7•11 years ago
|
||
This is a one-off situation, we don't have a review policy to build on. Dan, what's your take?
Comment 8•11 years ago
|
||
I want to land firefox24. can you review new japanese about:mozilla ?
tracking-firefox24:
--- → ?
Comment 10•11 years ago
|
||
(In reply to ABE Hiroki (hATrayflood) from comment #8) > I want to land firefox24. can you review new japanese about:mozilla ? Given this is not a recent regression , unclear why we would track it for Fx24 specifically. If this was nominated only for the purpose of landing; you can always request uplift approval on any bug.If the risk/reward justifies and depending on where we are in the cycle we'd approve it.
tracking-firefox24:
? → ---
Comment 11•11 years ago
|
||
(In reply to bhavana bajaj [:bajaj] from comment #10) > If this was nominated only for the purpose of landing; you can always > request uplift approval on any bug. No. The patch was posted and our l10n solution was suggested 2 months ago. The remaining work is to review it and landing. There is no reason to delay, if you haven't any consideration to forward this.
Comment 12•11 years ago
|
||
Hi Dan, can you address this? Thank you.
Comment 13•11 years ago
|
||
I have no idea what I'm being asked. I'm glad the <script> is being removed, and I don't see a /security problem/ with the CSS approach since it's not incorporating external content into the page. r+ for that much. The text is clearly not just a translation of the English about:mozilla which seems a tad dodgy. Is that a precedent we want to set? Is the new text appropriate for the Mozilla "brand"? But that's not my call. Ideally we'd have someone on the product team who could read Japanese make that call. The Japanese version has quite a bit more about foxes than the English (which has none) but to the extent I could tell from Google translate mush it didn't look terribly out of line. Didn't understand the named references, but that's OK I'm sure a lot of Japanese people don't get the "Mammon" reference.
Flags: needinfo?(dveditz)
Updated•9 years ago
|
Group: core-security → firefox-core-security
Comment 14•8 years ago
|
||
Comment on attachment 763125 [details] [diff] [review] fix v1 Review of attachment 763125 [details] [diff] [review]: ----------------------------------------------------------------- Removing review request to me, as I'm not in a position to review this. I'm sorry that it has taken me so long to do so.
Attachment #763125 -
Flags: review?(mwobensmith)
Comment 15•6 years ago
|
||
This bug seems obsolete: problem is gone but looks like because the about:mozilla text was replaced with a newer English version rather than the translation being fixed. I scanned dxr.mozilla.org/l10n-central/ and found no more unwanted uses of <script> at the current time.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Updated•4 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•