Date of Review: 2011.05.02
Item Reviewed
- GIO/GVFS integration for opening sftp:// or smb:// URIs directly in Firefox under Gnome bug 494163
Background:
- Only for GNOME, gnome vfs (gvfs) extenion instead that is compiled by default
- Gnome depricating apis etc, this is the replacement
- Support for sftp is probably good, more leary of smb
- This is marked as dangerous to load & thus mitigates attack
- Could be used to read across domains to gain information about the network of a user via the browser (see above mitigation)
- No worse than an extension that adds a privelaged protocol type
- Support for sftp is probably good, more leary of smb
- One diff is GIO is stateful where GVFS is not
Issues Raised:
- How are passwords handled?
- Uses the Firefox password manager
- Password could potentially be saved and replayed
- No different risk from any other connection
- This is an extension of the attack surface to the internet for affected platforms, may require changes to SELinux versions for permissions
- Out of our scope
Action Items:
- None