Closed
Bug 932795
Opened 12 years ago
Closed 12 years ago
Remove unnecessary systemXHR permission
Categories
(Firefox OS Graveyard :: Gaia::Video, defect)
Tracking
(blocking-b2g:koi+, b2g-v1.1hd unaffected, b2g-v1.2 fixed)
RESOLVED
FIXED
| blocking-b2g | koi+ |
| Tracking | Status | |
|---|---|---|
| b2g-v1.1hd | --- | unaffected |
| b2g-v1.2 | --- | fixed |
People
(Reporter: arroway, Assigned: gkw)
Details
(Keywords: csectype-other, sec-want)
Attachments
(1 file, 1 obsolete file)
|
430 bytes,
patch
|
gkw
:
review+
|
Details | Diff | Splinter Review |
The systemXHR privileged permission should be removed from the manifest of the Video app since it is not longer required. Tt was previously used to make calls to the Youtube API, which is no longer performed.
|
||
Updated•12 years ago
|
Group: core-security
Keywords: csec-other,
sec-want
|
|
||
Comment 1•12 years ago
|
||
Not a current vulnerability so we don't need to hide the bug, but we do want to fix it (it's trivial to do) since it potentially raises the risk should this app be compromised.
|
Assignee | |
Comment 2•12 years ago
|
||
(had some minutes to spare as I got too bored at an airport)
I think this might fix the issue, please let me know if there is anything else I should change.
|
||
Comment 3•12 years ago
|
||
Comment on attachment 825093 [details] [diff] [review]
patch v0
Before you land this remember to take the semi colon off preceeding line "audio-channel-content":{}, (or if you need me to land, up an updated patch)
In future djf oh John Hu are likely better reviewers, I dont work on Video these days
Cheers, looks good
Attachment #825093 -
Flags: review?(dale) → review+
|
|
Assignee | |
Comment 4•12 years ago
|
||
Bringing over r+.
> In future djf oh John Hu are likely better reviewers, I dont work on Video
> these days
I chose you based on the shortest review queue from the "suggested reviewers" list - djf had 16 at that time, while John Hu wasn't on the list (no idea why).
Attachment #825093 -
Attachment is obsolete: true
Attachment #825894 -
Flags: review+
|
|
Assignee | |
Comment 5•12 years ago
|
||
Does this need to be backported?
Flags: needinfo?(dflanagan)
Keywords: checkin-needed
|
|
||
Comment 6•12 years ago
|
||
|
||
Comment 7•12 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] (still catching up on bugmail) (in-n-out through Nov 5) from comment #4)
> Created attachment 825894 [details] [diff] [review]
> patch v1
>
> Bringing over r+.
>
> > In future djf oh John Hu are likely better reviewers, I dont work on Video
> > these days
>
> I chose you based on the shortest review queue from the "suggested
> reviewers" list - djf had 16 at that time, while John Hu wasn't on the list
> (no idea why).
Sounds like someone should file a bug requesting that he be added.
|
||
Comment 8•12 years ago
|
||
Thanks for the patch Gary, and thanks for landing it, Dale.
I don't know if this should be backported. (Actually, I'm not certain when we stopped using the youtube api, but if we can remove this permission in 1.2, I think we should. It is basically risk-free to do.
Let's ask the reporter: Stephanie, do you want to nominate this fix koi?
Flags: needinfo?(dflanagan) → needinfo?(stephouillon)
|
Reporter | |
Comment 9•12 years ago
|
||
The use of the Youtube API has been stopped 4 months ago, I think it would be good to remove the permission in 1.2.
Flags: needinfo?(stephouillon)
|
|
Assignee | |
Updated•12 years ago
|
blocking-b2g: --- → koi?
|
|
Assignee | |
Comment 10•12 years ago
|
||
(In reply to Josh Matthews [:jdm] from comment #7)
> Sounds like someone should file a bug requesting that he be added.
I filed bug 935286.
|
|
Assignee | |
Comment 11•12 years ago
|
||
This permission was recommended to be removed in the security review of the Video app:
https://wiki.mozilla.org/Security/Reviews/Gaia/Video#Permissions
|
||
Comment 12•12 years ago
|
||
So this seems to be more of a want from the security team as a preventive case, please clarify if that's not the case, as we do not want to block on an issue if its not absolutely critical. Are we sure that no older releases(1.0.1,1.1) will rely on this change ? Would we need any new testing here ?
|
|
||
Updated•12 years ago
|
Flags: needinfo?(stephouillon)
Flags: needinfo?(dflanagan)
|
|
Reporter | |
Comment 13•12 years ago
|
||
The permission can be removed from 1.2 but not from older releases, as 1.1 and 1.0.1 still use the Youtube API in the Video app.
Flags: needinfo?(stephouillon)
|
|
||
Comment 14•12 years ago
|
||
I don't have the rights to mark this koi+, but I would if I did. It seems like a risk-free security patch. I think we should uplift it.
Flags: needinfo?(dflanagan)
|
|
||
Updated•12 years ago
|
blocking-b2g: koi? → koi+
|
|
Assignee | |
Updated•12 years ago
|
|
||
Comment 16•12 years ago
|
||
[v1.2 487853e] Bug 932795 - remove unused systemXHR permission. r=daleharvey
Flags: needinfo?(jhford)
|
||
Updated•12 years ago
|
Keywords: checkin-needed
You need to log in
before you can comment on or make changes to this bug.
Description
•