Confirmed users, Bureaucrats and Sysops emeriti
2,088
edits
Places:SecurityReview: Difference between revisions
no edit summary
No edit summary |
|||
| Line 151: | Line 151: | ||
What ranges for the tunable are appropriate? How are they determined? | What ranges for the tunable are appropriate? How are they determined? | ||
What are its on-going maintenance requirements (e.g. Web links, perishable data files)? | What are its on-going maintenance requirements (e.g. Web links, perishable data files)? | ||
* The default bookmarks.html file | * The default bookmarks.html file | ||
== Documentation == | == Documentation == | ||
| Line 171: | Line 164: | ||
* [http://developer.mozilla.org/en/docs/Category:Places All Places Pages on MDC] | * [http://developer.mozilla.org/en/docs/Category:Places All Places Pages on MDC] | ||
= | = Notes = | ||
== | * SQL Injection | ||
** TODO: enumerate and document all sources of data added into places.sqlite | |||
** TODO: formalized audit of code path of input data, confirm it's using parameter binding instead of executing raw SQL. | |||
* Remote Containers | |||
** External data shown inside places views | |||
** Sanitization of data? Same as input data from user/web? | |||
** No visual identification that they're different from local folders | |||
* Assuming Fx is only writer to places.sqlite | |||
** Extensions can write to it | |||
** External apps | |||
** Any solution to this should be application wide, not just places | |||
* Place URIs in content? moz-anno? | |||
** TODO: write mochitest test for this | |||
** TODO: confirm moz-anno blacklisted, LXR link is rotten: http://mxr.mozilla.org/seamonkey/search?string=moz-anno | |||
* Increased risk from having more history | |||
** TODO: document the changes, the toggles, and the elevated risk. | |||
* Updating to latest SQLite | |||
** Need to maintain downrev ourselves if we can't upgrade, even if painful | |||
** SQLite is moving fast, not maintaining stable branches | |||
* Secure deletes | |||
** SQLite impl, not ours | |||
** Mil-spec level disk sanitation overkill? | |||
** Vlad's async write implementation moots sync write configuration | |||
** Possibly data thought deleted in journal after a crash | |||
* Externally manipulated visit counts | |||
** Malicious script bumping up visit counts to push URIs up in autocomplete | |||
** Window: could only count typed or clicked as visits | |||
** Not using the rollup count for Places autocomplete right now (note: we checked after the meeting, and we actually are) | |||
** Johnath: visit count is visible in page info (for site domain, not URI) | |||
** Visit count is visible in organizer | |||
** Page-info does use hostname, not just domain name | |||
* Scrolling to matched terms in URLs in autocomplete | |||
** Phishing risk? | |||
** Should make hostname always visible | |||
** This feature is not actually implemented yet. | |||
** Should split so hostname is always visible | |||
** TODO: make a note on that bug | |||
* Javascript/data URIs in the sidebar? | |||
** Vulnerable in the past | |||
** Executes in chrome (plugged in 2 and 3) | |||
** TODO: confirm js and data URIs not in places UIs | |||
** http://mxr.mozilla.org/seamonkey/ident?i=PU_checkURLSecurity | |||
** http://mxr.mozilla.org/seamonkey/source/browser/components/places/content/utils.js#1251 | |||
* Feed sanitization | |||
** How sanitized now? whitelist based? | |||
** TODO: confirm whitelist | |||
* Feed items that are bookmarklets or data uris | |||
** TODO: confirm in feeds code | |||
** TODO: if we do drop bad entries, need to document that | |||
* Feed items in autocomplete? | |||
** mconnor: doctor grp w/ bookmarks in livemarks, and hostname changes regularly, might want livemark items in AC | |||
** Maybe show livemark item icon instead of star? | |||
** Maybe have a pref to cover this edge case? | |||
* JSON in copy/paste | |||
** If a script could inject JSON data in our format w/ our mime-type into the clipboard, and then get the user to paste while in the Places organizer, could get data into the db | |||
** Relying on crockford's sanitization code | |||
** Will soon be using JSON for filesystem backup/restore | |||
** Executes in a sandbox | |||
* Favicon content | |||
** Window: only images for favicons? | |||
*** Potentially svg | |||
** Seth: tab favicon might be different from location bar favicon | |||
*** Different code paths in chrome than in content for this | |||
*** Mconnor: Image decoder used for both content and chrome at the display level | |||
** Window: what do we do w/ malformed image data? | |||
*** Mconnor: decoder should throw it away (confirm) | |||
* Post URIs ({{bug|94514}}) | |||
** Should mark them as hidden | |||
** Should not increase visit counts | |||