Closed
Bug 871548
Opened 12 years ago
Closed 12 years ago
Query params sent when reporting a phishing site could contain sensitive info.
Categories
(SeaMonkey :: General, defect)
SeaMonkey
General
Tracking
(seamonkey2.20 fixed, seamonkey2.21 fixed)
RESOLVED
FIXED
seamonkey2.21
People
(Reporter: philip.chee, Assigned: philip.chee)
References
Details
Attachments
(1 file)
|
1.46 KB,
patch
|
neil
:
review+
iannbugzilla
:
approval-comm-aurora+
|
Details | Diff | Splinter Review |
From Firefox Bug 368106:
> However, Firefox is sending the full URL of the reported site -- including the
> query string (http://foo.com/foo?querystring). To avoid privacy problems, the
> browser probably shouldn't be sending the query part at all. Stripping out the
> query values might also be an option (so that ...?user=me&pw=secret is
> submitted as ...?user=&pw=).
>
> It seems like just the hostname and URL path should be enough to identify a
> phishing site.
|
Assignee | |
Comment 1•12 years ago
|
||
> + // XXX: .clone() or cloneIgnoringRef() ?
> + var pageUri = getBrowser().currentURI.cloneIgnoringRef();
Firefox uses .clone(). Would cloneIgnoringRef() be better?
Attachment #748818 -
Flags: review?(neil)
|
||
Comment 2•12 years ago
|
||
(In reply to Philip Chee from comment #1)
> Firefox uses .clone(). Would cloneIgnoringRef() be better?
Makes sense.
|
|
||
Comment 3•12 years ago
|
||
Comment on attachment 748818 [details] [diff] [review]
Patch v1.0 Strip query params.
Seems reasonable (but without the XXX of course).
Attachment #748818 -
Flags: review?(neil) → review+
|
|
Assignee | |
Comment 4•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-seamonkey2.21:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → seamonkey2.21
|
|
Assignee | |
Comment 5•12 years ago
|
||
Comment on attachment 748818 [details] [diff] [review]
Patch v1.0 Strip query params.
Note: Firefox Bug 368106 landed on Firefox23
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 477718 - Implement Phishing Protection (a.k.a. Safe Browsing) support in SeaMonkey
User impact if declined: Sensitive privacy information could leak.
Testing completed (on m-c, etc.): I've been running with this patch for about a fortnight and the Firefox changeset has been in m-c since 2013-05-07.
Risk to taking this patch (and alternatives if risky): Risk is low but since this problem is hypothetical it could ride the trains instead.
String or IDL/UUID changes made by this patch: None
Attachment #748818 -
Flags: approval-mozilla-aurora?
|
||
Updated•12 years ago
|
Attachment #748818 -
Flags: approval-mozilla-aurora? → approval-comm-aurora?
Attachment #748818 -
Flags: approval-comm-aurora? → approval-comm-aurora+
|
|
Assignee | |
Comment 6•12 years ago
|
||
Pushed to comm-aurora:
http://hg.mozilla.org/releases/comm-aurora/rev/8d0d26c68023
status-seamonkey2.20:
--- → fixed
I think that this error it is solved. Now the URL https://www.quierochollo.online its Ok!! Thanks
You need to log in
before you can comment on or make changes to this bug.
Description
•