Closed Bug 871548 Opened 10 years ago Closed 10 years ago

Query params sent when reporting a phishing site could contain sensitive info.


(SeaMonkey :: General, defect)

Not set


(seamonkey2.20 fixed, seamonkey2.21 fixed)

Tracking Status
seamonkey2.20 --- fixed
seamonkey2.21 --- fixed


(Reporter: philip.chee, Assigned: philip.chee)




(1 file)

From Firefox Bug 368106:
> However, Firefox is sending the full URL of the reported site -- including the 
> query string ( To avoid privacy problems, the 
> browser probably shouldn't be sending the query part at all. Stripping out the 
> query values might also be an option (so that ...?user=me&pw=secret is 
> submitted as ...?user=&pw=).
> It seems like just the hostname and URL path should be enough to identify a 
> phishing site.
> +    // XXX: .clone() or cloneIgnoringRef() ?
> +    var pageUri = getBrowser().currentURI.cloneIgnoringRef();
Firefox uses .clone(). Would cloneIgnoringRef() be better?
Attachment #748818 - Flags: review?(neil)
(In reply to Philip Chee from comment #1)
> Firefox uses .clone(). Would cloneIgnoringRef() be better?
Makes sense.
Comment on attachment 748818 [details] [diff] [review]
Patch v1.0 Strip query params.

Seems reasonable (but without the XXX of course).
Attachment #748818 - Flags: review?(neil) → review+
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → seamonkey2.21
Comment on attachment 748818 [details] [diff] [review]
Patch v1.0 Strip query params.

Note: Firefox Bug 368106 landed on Firefox23

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 477718 - Implement Phishing Protection (a.k.a. Safe Browsing) support in SeaMonkey

User impact if declined: Sensitive privacy information could leak.

Testing completed (on m-c, etc.): I've been running with this patch for about a fortnight and the Firefox changeset has been in m-c since 2013-05-07.

Risk to taking this patch (and alternatives if risky): Risk is low but since this problem is hypothetical it could ride the trains instead.

String or IDL/UUID changes made by this patch: None
Attachment #748818 - Flags: approval-mozilla-aurora?
Attachment #748818 - Flags: approval-mozilla-aurora? → approval-comm-aurora?
Attachment #748818 - Flags: approval-comm-aurora? → approval-comm-aurora+

I think that this error it is solved. Now the URL its Ok!! Thanks

You need to log in before you can comment on or make changes to this bug.