This may be the reason why Windows Explorer does not warn about the file, as the documentation mentions that "ShellExecuteEx uses AssocIsDangerous to trigger zone checking". > doesn't appear to pick up ".settingcontent-ms" when testing on my machine. > Looks like AssocIsDangerous is what Explorer itself uses. (In reply to Aaron Klotz from comment #14) Thanks Gijs for landing this sooner, I was traveling today. : Improves security from code execution on the local machine with minimal risk. : This only affects the download and file opening code path, and we don't actually use this file extension for anything in the source tree anyways. : Yes, using the proof of concept attached to this bug : Not automatically testable, it effectively patches a Windows issue with a missing warning even if the file is correctly marked as having a remote source : Code execution on the local machine without warning if an extension creates a file with a "SettingContent-ms" extension Let us know if you'd like us to land this on mozilla-central first, or just have the sheriffs land everywhere at the same time. As mentioned in the previous comment, I think this is quite safe to land on all branches. Since this patch is quite straightforward, I'm already requesting the uplift flags so we can get this on the Release Management radar sooner.
0 Comments
Leave a Reply. |