MozillaZine

[Branch] Firefox 2.0.0.1 fixlist (NOW RELEASED)

Discussion about official Mozilla Firefox builds
Old WildcatRay
 
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post Posted December 8th, 2006, 2:55 pm

Domo, Tony E! ;)

Lucky

User avatar
 
Posts: 227
Joined: January 28th, 2003, 4:31 am
Location: Essen / Germany

Post Posted December 8th, 2006, 3:11 pm

#360493 [Firefox:Password Manager]-Cross-Site Forms + Password Manager = Security Failure [All]

This bug isn't fixed. I have tested it on heise security and it works... ;(
http://www.heise-security.co.uk/service ... ass1.shtml

Or it's not that bug?

Lucky

4Smoky
 
Posts: 1
Joined: December 8th, 2006, 3:18 pm

Post Posted December 8th, 2006, 3:20 pm

#360493 [Firefox:Password Manager]-Cross-Site Forms + Password Manager = Security Failure [All]

The same here . the bug isn´t fixed :(

old zeniko
 
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post Posted December 8th, 2006, 3:24 pm

Lucky wrote:#360493 [Firefox:Password Manager]-Cross-Site Forms + Password Manager = Security Failure [All]

<a href=\"http://forums.mozillazine.org/viewtopic.php?p=2640505#2640505\">Above</a>, colfer wrote:So far you have to use about:config to change it:
signon.prefillForms (true/false)

Only when signon.prefillForms is set to false, the "exploit" won't work anymore. That pref will be switched for Firefox 2.0.0.2 (unless there's a respin).

CrazyFred wrote:Looks like there will be a respin of 2.0.0.1 to pick up the default pref change for password prefill and the broken ctrl-shift-# shortcuts.

You're mis-interpreting the flags: they just mean that should there be a respin, those patches will be included as well - otherwise they'll make Firefox 2.0.0.2. Reasons for a respin are usually only top-crashers and severe security and dataloss issues. Both bugs don't qualify for either of these...

Warduke
 
Posts: 630
Joined: November 4th, 2002, 7:49 pm

Post Posted December 8th, 2006, 3:42 pm

Firefox : One Browser to Rule Them All.

chob
 
Posts: 4283
Joined: May 17th, 2003, 12:05 pm
Location: London, UK

Post Posted December 8th, 2006, 4:12 pm

i'm told that the windows and mac rc2 builds are identical to the rc1 builds; the only change between rc1 and rc2 is for linux and that's to fix:
  • #363054 [Core:Keyboard: Navigation]-Ctrl-Shift Keyboard Shortcuts broken (linux) [Lin]

colfer

User avatar
 
Posts: 643
Joined: December 4th, 2002, 9:34 am
Location: Bear

Post Posted December 8th, 2006, 5:53 pm

Yep, same date stamp. Brendan weighed in today on the (ridiculously bloated, should be forum posts) discussion in Bug 360493, "We need a real fix. Since there are other important fixes to get out in 2.0.0.1, we should put our energy into the right fix for the next patch release." In other words, the pref is available in about:config, but it defaults to <edit>true</edit>, so Firefox behaves the same as always.

Meanwhile, MySpace has fixed their problem, and all hosts that allow individually controlled example.com/acct1, example.com/acct2 hosting are advised that they are vulnerable to Javascript attacks anyway (XSS), so the autofill thing, no matter how deviously constructed, is no worse. If they filter users from posting Javascript, then they should filter them from posting password forms (by <input> name or type? I'm not sure.) What are the days of university.edu/~acct over? Are they really using acct.university.edu? (Javascript respects full domain name, as does password manager.)

This kind of form still works in MySpace profiles, but the domain is profiles.myspace.com, presumably not a login domain:

"You can buy (my CD) right here!
[form action="http://cdbaby.com/cart" method="post"]
Price: $15.00
Quantity: ___
Buy Now! (submit button)
[/form]

Looks like the upcoming better fix for 2.0.0.2 would involve remembering something else about the page besides just the domain name and form fields. I doubt that preventing html/css/javascript tricks for obscuring and submitting the form is KISS (simple) enough.

My opinion: the pref should be flipped in 2.0.0.1. It would annoy users but in a respectful way. Maybe add a dorky "quick-autofill this form next time?" dialog in 2.0.0.2. But I'm not as cautious as a Mozilla driver.
Last edited by colfer on December 9th, 2006, 7:33 am, edited 1 time in total.

Nitin
Moderator

User avatar
 
Posts: 3483
Joined: February 27th, 2003, 9:38 pm
Location: San Jose, CA

Post Posted December 8th, 2006, 7:00 pm

Wow, that's a lot of fixes for a .0.0.1 release!
If you're not using Firefox, you're not surfing the web, you're suffering it.
Join the MZ folding@home team.

Frank Lion

User avatar
 
Posts: 20595
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted December 8th, 2006, 7:05 pm

I know I should know this, but do we have a public ETA for the 2.0.0.1 release yet?
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

xpgeek

User avatar
 
Posts: 112
Joined: August 7th, 2005, 3:47 pm
Location: Jersey, USA

Post Posted December 8th, 2006, 7:09 pm

I actually like and prefer the change that signon.prefillForms = false provides.

The Ex Omega
 
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post Posted December 8th, 2006, 8:24 pm

Frank Lion wrote:I know I should know this, but do we have a public ETA for the 2.0.0.1 release yet?


I heard December 15th, though it could be later.

Frank Lion

User avatar
 
Posts: 20595
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom

Post Posted December 8th, 2006, 8:52 pm

Omega X wrote:
Frank Lion wrote:I know I should know this, but do we have a public ETA for the 2.0.0.1 release yet?


I heard December 15th, though it could be later.

Many thanks, I just needed a rough idea, that's fine.
Metal Lion latest SeaMonkey & Thunderbird Themes - Sea Monkey and Silver Sea Monkey
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

greenknight

User avatar
 
Posts: 6182
Joined: December 13th, 2004, 2:28 am
Location: In the shadow of Mount St. Helens

Post Posted December 9th, 2006, 5:07 am

xpgeek wrote:I actually like and prefer the change that signon.prefillForms = false provides.
Can't say I like it, but it's not too annoying. I had feared much worse.
Win 10 Home x64, Linux Mint 19.1 MATE x64, AMD A8 5600K APU 3.6 GHz (3.9 Turbo), AMD Radeon HD 7560D (integrated graphics). G.Skill Ares DDR3-2400 (running at 2133) 8GB, Firefox 73.0, Developer Edition 74.0b3(Win only), Nightly 75.0a1x64 (Win), Nightly 75.0a1 (Linux AMD64) .

RyanVM
 
Posts: 1264
Joined: June 16th, 2004, 6:00 am
Location: Exton, PA

Post Posted December 9th, 2006, 6:47 am

colfer wrote:Yep, same date stamp. Brendan weighed in today on the (ridiculously bloated, should be forum posts) discussion in Bug 360493,
Now there's an understatement. That's the first bug where I've actually un-CCed myself from it because I couldn't take the inane discussion anymore.

EDIT: Though I have to say, Bob Novell's long-winded diatribes have been good for an occasional laugh. That guy reminds me of chicken little meets that crazy guy on the street with a cardboard sign screaming that the world is about to end.

chob
 
Posts: 4283
Joined: May 17th, 2003, 12:05 pm
Location: London, UK

Post Posted December 9th, 2006, 9:28 am

OK so if bug 360493 [Firefox:Password Manager]-Cross-Site Forms + Password Manager = Security Failure [All] isn't fixed for 2.0.0.1 i should probably remove it from the fixlist right? :)

Return to Firefox Builds


Who is online

Users browsing this forum: No registered users and 3 guests