![]() ![]() But if calling it from nsBrowserApp.cpp which is your "main" is an option, TB wouldn't be affected and a backout would be a valid short term fix. ![]() I can fix it with a backout of bug 1572838 from our release branches, but backing out a security fix is likely a bad idea. In this case TB 60.9 would inherit the problem as well. I assume you're planning to backport to FF 60.9?Ħ0esr isn't vulnerable to the issue in the bug as written, so no. ![]() The patch shouldn't be too difficult to write so if you have time before me. Can some of the people involved in bug 1572838 fix this quickly (and move it out of MailNews).I think "no" is right - we added exit() calls, but those shouldn't crash, per se. Should I dupe this here? Looks like a "no" reading the end of comment #22. The crash was reported in bug 1577796.(In reply to Jorg K (GMT+2) from comment #24) Even then, I likely can't test the mail side of the patch so it'd be helpful if someone who knows mail code could write and/or test the patch. I can try to get a patch written on my (UK time) Monday, but probably not before then. This would require some work from someone who knows mail code to do it at the right place in mail code.Ī slightly more short-term/impromptu (for 68.1 ?) solution might be ifdefs in EnsureCommandlineSafe based on MOZ_BUILD_APP that accept -mail / -compose (with/without params), though that feels pretty yucky. That or write a similar checking function in mail code. I expect that we should call it from the integration points of various apps (ie from nsBrowserApp rather than XRE code) but also make the helper function take arguments that list valid params + whether or not they take an argument. This is a good idea, but the problem is that we also removed the osint checks elsewhere, and so just not checking anything in TB would potentially reopen security issues for thunderbird w/ mailto: (or Thunderbird:) protocol handling. We should probably call it from nsBrowserApp I guess. (In reply to Dave Townsend (he/him) from comment #21)Īh. I'm at a wedding and am not going to be able to write a patch right now. Sorry, I've just seen this and it's now past midnight here. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |