[Pkg-mozext-maintainers] Bug#919557: Bug#919557: Bug#919557: Bug#919557: Bug#922944: handling symbolic links in webextensions
infinity0 at debian.org
Sun Apr 26 02:15:44 BST 2020
> On Sunday, 26 April 2020 9:25:06 AM AEST Ximin Luo wrote:
>> The source code doesn't mention any particular reason, and one person on
>> the upstream bug report mentions it in such an off-the-cuff and
>> non-explanatory way I can't take it into account as a serious data point.
>> We shouldn't just let a mere mention of "security" scare us into not
>> touching stuff and using our own reasoning to fix bugs.
>> And I *did* think about the possible security considerations, as I
>> explained in my previous email, and derived my suggested patch based on
>> these considerations. (FWIW, I have done and am doing various types of
>> security work professionally, and I'm confident about this type of
>> reasoning in general.)
> Did you consider the possibility of users having a mix of packaged and non-
> packaged extensions? I think it is reasonable to contain/sandbox extensions
> to prevent peeking to various file system locations through symlinks.
> Once Firefox is patched to allow symlinks, the threat might be from malicious
> symlinks in non-packaged extensions.
Yes, I covered this already. My suggested patch (B) would only traverse symlinks when the extension being loaded (the symlink being resolved) is itself underneath /usr/share/webext, other extensions would still not be allowed to traverse symlinks.
Please do read through my first email in full.
More information about the Pkg-mozext-maintainers