Security/Reviews/Firefox5/ReviewNotes/GIO: Difference between revisions
Jump to navigation
Jump to search
(Created page with "Date of Review: 2011.05.02 ===Item Reviewed=== * GIO/GVFS integration for opening sftp:// or smb:// URIs directly in Firefox under Gnome {{bug|494163}} Background: * Only for GNO...") |
No edit summary |
||
| Line 20: | Line 20: | ||
Action Items: | Action Items: | ||
* None | * None | ||
[[Category:SecReview|GIO]] | |||
Latest revision as of 19:20, 4 January 2012
Date of Review: 2011.05.02
Item Reviewed
- GIO/GVFS integration for opening sftp:// or smb:// URIs directly in Firefox under Gnome bug 494163
Background:
- Only for GNOME, gnome vfs (gvfs) extenion instead that is compiled by default
- Gnome depricating apis etc, this is the replacement
- Support for sftp is probably good, more leary of smb
- This is marked as dangerous to load & thus mitigates attack
- Could be used to read across domains to gain information about the network of a user via the browser (see above mitigation)
- No worse than an extension that adds a privelaged protocol type
- Support for sftp is probably good, more leary of smb
- One diff is GIO is stateful where GVFS is not
Issues Raised:
- How are passwords handled?
- Uses the Firefox password manager
- Password could potentially be saved and replayed
- No different risk from any other connection
- This is an extension of the attack surface to the internet for affected platforms, may require changes to SELinux versions for permissions
- Out of our scope
Action Items:
- None