[Branch] Firefox 2.0.0.5 fixlist (NOW RELEASED)

Wildmyron · Post by **Wildmyron** » July 19th, 2007, 8:09 pm

^ New version released.

What was wrong? Well, basically, at some point, while studying how cookies work, I coded the session saving function to write the cookie to include "HttpOnly" ; I can't recall if I actually thought I understood what it was for, or if I just thought it should be there. It turns out that that's a flag to say "hey, no, don't let JavaScript muck about with this cookie", and Firefox just never paid attention to that before now.

http://community.livejournal.com/ljlogin/2675.html

Networking Landings, #1 (bug 178993) caused the change, but my interpretation is that ljlogin was doing the wrong thing.

colfer · Post by **colfer** » July 20th, 2007, 5:12 am

This Mac-only regression ended up in the release: Bug 388583, Autocomplete dropdown doesn't update when scrolling with scrollbar. The problem is actually a bit worse than that title, for instance it causes Bug 388711, Password manager scrollbar doesn't work. A fix is ready for checkin for 2.0.0.6 if approved. Hmm with all those extra digits in the verision number... :monkey:

chob · Post by **chob** » July 20th, 2007, 7:47 am

Wildmyron wrote:^ New version released.
What was wrong? Well, basically, at some point, while studying how cookies work, I coded the session saving function to write the cookie to include "HttpOnly" ; I can't recall if I actually thought I understood what it was for, or if I just thought it should be there. It turns out that that's a flag to say "hey, no, don't let JavaScript muck about with this cookie", and Firefox just never paid attention to that before now.
http://community.livejournal.com/ljlogin/2675.html

Networking Landings, #1 (bug 178993) caused the change, but my interpretation is that ljlogin was doing the wrong thing.

Good stuff. A couple of devs on IRC were trying to troubleshoot this too, but they didn't take it too far because the code was a bit weird in places. There were some funny bits when reading it tho, like:

Code: Select all

try { // Get the cookie
  var yumcookie = handinjar.getNext();
  if (!yumcookie) { // Oops. No actual cookie there.
    return false;
  }

and a bunch of else after returns, which apparently is a bit icky. And some comments like:

Code: Select all

// Now, go through the Password Manager and hopefully find a matching
// username/uid pair. I *would* use findPasswordEntry instead, except
// that whoever wrote it makes it throw an exception if there's no
// match, instead of doing something sane with return values. Cockbites.

Which is weird, since he's already shown he knows how to use try/catch to catch exceptions, etc. But hey, if the extension is now working, great stuff!

-fullmetaljacket- · Post by **-fullmetaljacket-** » July 22nd, 2007, 11:52 pm

polidobj wrote:
-fullmetaljacket- wrote:
Littlemutt wrote:security green #6 https://bugzilla.mozilla.org/show_bug.cgi?id=387333 , shows check in and verified 7/10/07, so I'd say yes... the fix is in.

is that it? i was talking about this: http://secunia.com/cve_reference/CVE-2007-3670/
That doesn't look like the right bug. I don't know what the bug is. But it is fixed.

it was bug 389106

colfer · Post by **colfer** » July 23rd, 2007, 9:53 am

A patch for 389106 was checked in yesterday, as well as another security thing, 388121, and the dropdown scrollbar thing 388583. These are all for Firefox 2.0.0.6.

chob · Post by **chob** » July 23rd, 2007, 10:02 am

Yeah, looks like a quick 2.0.0.6 is scheduled to get some more security fixes, along with that silly 'URL bar drop down history not scrolling' bug on Mac. Perhaps only four checkins!

#388121 [Core]-More consistent handling of principals for loads across docshell type boundaries. [All]

#388583 [Core:XP Toolkit/Widgets: XUL]-Autocomplete dropdown doesn't update when scrolling with scrollbar [Mac]

#389106 [Core]-Escape quotes and escape spaces even for the OnlyNonASCII flag[All]

#389287 [Installer]-Remove protocol handler registry keys added by the MS shim [All]

Firefox 2.0.0.6pre candidates (not yet fully populated)

canuckerfan · Post by **canuckerfan** » July 23rd, 2007, 11:46 am

ever since updating to 2.0.0.5, is anyone else getting weird "shaking" after switching users while fx is open?

colfer · Post by **colfer** » July 23rd, 2007, 3:43 pm

Why the hell is Firefox still shipping with signon.prefillForms defaulted to "true"? Not fixed in the 2.0.0.6 rc1.

Hence Slashdot article today:

IT: Password Vulnerability In Firefox 2.0.0.5
Posted by CmdrTaco on Monday July 23, @11:18AM
from the waiting-for-the-patch-boys dept.
Mozilla
Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."
[+] security, mozilla, javascript, fudfox, noscript (tagging beta)

http://it.slashdot.org/article.pl?sid=07/07/23/1450224

colfer · Post by **colfer** » July 23rd, 2007, 3:47 pm

By the way, it's the ancient "MySpace" bug, which MySpace fixed, but it is a general problem with user-driven web sites. IIRC, somehow IE avoids the bug, so Mozilla has kept the "signon.prefillForms" pref as "true" when the only sane way to browse is with it "false." That just means you need to click or tab to the user name field to select the name and the get your password filled.