Closed
Bug 874484
Opened 11 years ago
Closed 11 years ago
Timeout for remote debugging / adbd
Categories
(Firefox OS Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: cr, Assigned: dhylands)
References
Details
(Keywords: sec-low)
Attachments
(1 file, 1 obsolete file)
|
5.57 KB,
patch
|
fabrice
:
review+
|
Details | Diff | Splinter Review |
We identified remote debugging as vector for several security threats. A simple mitigation to all of the connected risks is to introduce a timeout (I suggest something between 8 and 24 hours; 12h seems sensible) after which remote debugging automatically turns off until it is manually activated on the phone again. This should land as soon as possible, because it is powerful, easy to implement and other mitigations will take much longer.
|
||
Comment 1•11 years ago
|
||
Another option or additional control would be to add some kind of visible indicator that the phone is in debug mode (e.g. bar at top of screen, or persistent notification etc)
|
|
||
Updated•11 years ago
|
blocking-b2g: --- → koi?
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → dhylands
|
|
Assignee | |
Comment 2•11 years ago
|
||
This patch causes ADB to automatically be disabled after 12 hours on builds where marionette is disabled (i.e. production builds).
|
|
Assignee | |
Comment 3•11 years ago
|
||
Fixed default value in b2g.js
Attachment #791008 -
Attachment is obsolete: true
Attachment #791012 -
Flags: review?(fabrice)
|
||
Comment 4•11 years ago
|
||
Comment on attachment 791012 [details] [diff] [review] Disables ADB after a timeout (when marionette is disabled) v2 Review of attachment 791012 [details] [diff] [review]: ----------------------------------------------------------------- r=me with comment addressed. ::: b2g/app/b2g.js @@ +748,5 @@ > pref("dom.promise.enabled", false); > > +// Allow ADB to run for this many milliseconds before disabling > +// (only applies when marionette is disabled) > +pref("b2g.adb.timeout", 12 * 60 * 60 * 1000); // 12 hours I would rather just specify the number of hours here, and do the conversion to milliseconds in settings.js
Attachment #791012 -
Flags: review?(fabrice) → review+
|
|
Assignee | |
Comment 5•11 years ago
|
||
https://hg.mozilla.org/integration/b2g-inbound/rev/12196310221f
Depends on: 810092
|
||
Comment 6•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/12196310221f
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Comment 7•11 years ago
|
||
Should already be in 1.2, clearing the koi nom, here.
blocking-b2g: koi? → ---
Comment on attachment 791012 [details] [diff] [review] Disables ADB after a timeout (when marionette is disabled) v2 It's not in Aurora, and webqa needs this pushed to aurora because it's causing issues with automation: http://hg.mozilla.org/releases/mozilla-b2g26_v1_2/file/4fbe1b01ed63/b2g/app/b2g.js#l786
Attachment #791012 -
Flags: approval-mozilla-aurora?
|
||
Updated•11 years ago
|
blocking-b2g: --- → koi?
Oops. made a mistake it is in the build, the timing was moved over to hours. Please ignore last comment.
blocking-b2g: koi? → ---
|
|
||
Updated•11 years ago
|
Attachment #791012 -
Flags: approval-mozilla-aurora?
You need to log in
before you can comment on or make changes to this bug.
Description
•