> Ideally we would have a way to serve additional entries in this list > the documentation mentions that "ShellExecuteEx uses AssocIsDangerous to > This may be the reason why Windows Explorer does not warn about the file, as > (In reply to Aaron Klotz from comment #14) > Thanks Gijs for landing this sooner, I was traveling today. (In reply to :Paolo Amadini from comment #19) This is unclear from the current user interface, and there is no way to undo this action save from editing "about:config". I think this ability should be removed, because it applies to every file type, not just the individual file being opened, and also applies to actions triggered by browser extensions. While we're thinking about possible improvements, one thing I noticed is that the warning can be disabled globally and permanently using the checkbox.
We can also supplement the list using AssocIsDangerous, but it wouldn't handle cases like this bug. Ideally we would have a way to serve additional entries in this list remotely using one of the already available mechanisms, or at least have the list defined in JavaScript so we could use a hotfix if necessary. This may be the reason why Windows Explorer does not warn about the file, as the documentation mentions that "ShellExecuteEx uses AssocIsDangerous to trigger zone checking".
> doesn't appear to pick up ".settingcontent-ms" when testing on my machine. > Looks like AssocIsDangerous is what Explorer itself uses. (In reply to Aaron Klotz from comment #14) Thanks Gijs for landing this sooner, I was traveling today. : Improves security from code execution on the local machine with minimal risk. : This only affects the download and file opening code path, and we don't actually use this file extension for anything in the source tree anyways. : Yes, using the proof of concept attached to this bug : Not automatically testable, it effectively patches a Windows issue with a missing warning even if the file is correctly marked as having a remote source : Code execution on the local machine without warning if an extension creates a file with a "SettingContent-ms" extension Let us know if you'd like us to land this on mozilla-central first, or just have the sheriffs land everywhere at the same time. As mentioned in the previous comment, I think this is quite safe to land on all branches. Since this patch is quite straightforward, I'm already requesting the uplift flags so we can get this on the Release Management radar sooner.
0 kommentar(er)
