Mathwiz Posted November 12, 2023 Posted November 12, 2023 1 hour ago, VistaLover said: CVE-2019-11730 This vulnerability is interesting. The idea behind it is, someone sends you a malicious HTML document in (say) an email. You open it, thinking HTML documents should be safe - but the document uses Javascript to read other files in the folder the HTML document was downloaded to, and upload them to their server. For this to work, the malicious document has to know (or guess) the names of other files in the directory it gets downloaded to. If the email client (say) creates a unique directory for each email, then you're safe - the only thing in the download directory would be the email and attachments the attacker himself sent. But apparently some email clients and messaging apps aren't so careful, and put data from different emails into the same directory. Worse, they use easily-guessed file names, so a malicious HTML page can read your mail with some Javascript. This looks to me more like a vulnerability in certain email and messaging apps than a browser issue; nevertheless, Mozilla decided to "fix" the problem at the browser end, by treating every file:// URL as a unique origin. (I'm sure Chromium did the same.) That's why @luweitest's site didn't work when downloaded (until he changed the pref) - the browser blocked any Javascript from accessing anything in any other file! I presume it's also why @grey_rat recommended the "SingleFile" extension - if it had worked, it would've put the whole site in one big file, and the Javascript code would have been allowed to access it.
grey_rat Posted November 12, 2023 Posted November 12, 2023 Quote I presume it's also why @grey_rat recommended the "SingleFile" extension Not certainly in that way, I only knew about "SingleFile", so suggested as an alternative
luweitest Posted November 13, 2023 Posted November 13, 2023 On 11/11/2023 at 8:54 PM, VistaLover said: How so? Aren't you subscribed to this thread? ... so I tend to think toggling only that newer, second, one might be preferable I previously set subscription to one E-mail per week, and I have been too busy recently to read these e-mails, so I'd rather log in to check replies. I've took your advice and I'll check the notification options. Thank you. 1
luweitest Posted November 13, 2023 Posted November 13, 2023 (edited) MSFN needs a "delete own post" option Edited November 13, 2023 by luweitest duplicate 2
luweitest Posted November 13, 2023 Posted November 13, 2023 (edited) should be deleted Edited November 13, 2023 by luweitest duplicate
mina7601 Posted November 14, 2023 Posted November 14, 2023 19 hours ago, luweitest said: MSFN needs a "delete own post" option Even though I agree with you on this, I also understand why MSFN doesn't have such an option.
Mathwiz Posted November 14, 2023 Posted November 14, 2023 They could offer it with a time limit (of, say, an hour).
luweitest Posted November 14, 2023 Posted November 14, 2023 1 hour ago, mina7601 said: Even though I agree with you on this, I also understand why MSFN doesn't have such an option. To prevent deletion in case account stolen? 53 minutes ago, Mathwiz said: They could offer it with a time limit (of, say, an hour). Exactly!
mina7601 Posted November 14, 2023 Posted November 14, 2023 16 hours ago, luweitest said: To prevent deletion in case account stolen? No, I mean, deleting posts could be abused. But yeah, I agree to have that option with a cooldown similar to Discourse's delete posts cooldown.
WSC4 Posted November 15, 2023 Posted November 15, 2023 On 11/11/2023 at 2:28 PM, DanR20 said: FWIW it looks like Microsoft did away with the previous usable Hotmail format so now the default string in 52.0 and 55.0 will take you to the bare minimum format similar to gmail's. Changing the string in about:config to Firefox's most recent will render their newer buggy version so that's the choice. Yes, I have this problem in New Moon 28, 64-bit using outlook.live.com. I have in about:config general.useragent.override.outlook.live.com and still cannot get rid of their bare format. What is your string value for this please?
DanR20 Posted November 15, 2023 Posted November 15, 2023 (edited) 4 hours ago, WSC4 said: Yes, I have this problem in New Moon 28, 64-bit using outlook.live.com. I have in about:config general.useragent.override.outlook.live.com and still cannot get rid of their bare format. What is your string value for this please? For 52.0 and 55.0 I'm using this string: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Unfortunately the new format is very buggy with these browsers and just logging in to the site slows them down to a crawl. I may end up going back to the bare format to keep it usable. Edited November 15, 2023 by DanR20
Mathwiz Posted November 16, 2023 Posted November 16, 2023 On 11/14/2023 at 12:56 PM, mina7601 said: I mean, deleting posts could be abused. It could, but we do allow editing posts, and that can also be abused. Just takes a bit longer.
Mathwiz Posted November 16, 2023 Posted November 16, 2023 On 11/9/2023 at 9:26 PM, Mathwiz said: I tried 2023.10.12 today and it too works fine. So that narrows the issue down to one of the last two versions. I'll try the remaining version as time permits. I tried 2023.10.19 (the 20231021 file) today and it too works fine. So the issue: On 11/7/2023 at 10:37 PM, Mathwiz said: File downloads never complete when using the "open file" option. The file seems to download, but once it "should" be completely downloaded, the download freezes. The downloaded file shows 0 bytes in the temporary directory. You can't even cancel the download except by closing the browser. ... appears to have started with the 2023.10.26 build.
roytam1 Posted November 16, 2023 Author Posted November 16, 2023 11 hours ago, Mathwiz said: I tried 2023.10.19 (the 20231021 file) today and it too works fine. So the issue: ... appears to have started with the 2023.10.26 build. the only suspected rev is reverted by upstream, so lets see what will happen in next build 1
VistaLover Posted November 16, 2023 Posted November 16, 2023 2 hours ago, roytam1 said: the only suspected rev is reverted by upstream Hello ; do you think https://repo.palemoon.org/MoonchildProductions/UXP/commit/e4643f5bed2cdc600fc29900fe3b4d22e25763bc is the culprit, hence you did this: https://github.com/roytam1/basilisk55/commit/9bd1d38f77d2c01548f8802c369368e68ca08911 ? I'm no coder myself (everyone here knows that ) , but I had more time now to study Mathwiz's report, specifically: On 11/8/2023 at 6:37 AM, Mathwiz said: File downloads never complete when using the "open file" option. ... "Open file" is one of the conveniences FF-derived browsers like Serpent provide over Chromium-based browsers. It downloads to your temporary directory, opens the file, then (if the file isn't still open) deletes it for you when you close the browser, ... Downloads via an add-on, such as DownThemAll, work fine. ... Trying to download the 7-Zip installer is a simple way to reproduce the bug. On 2023.10.06 the installer downloads, runs, and installs 7-Zip. On 2023.10.26 the installer downloads, but then the download freezes as described above. The issue is specific to the native downloader and the "open file" function - the file here being an "installer" binary which needs to be executed by the browser; the 7-zip installer comes in two varieties, EXE & MSI, so it would be helpful to clarify which - in any case, my own eyes fell on this: https://repo.palemoon.org/MoonchildProductions/UXP/commit/98c3aa57431c4b158c750dfabfd0ab90708ebf16 which you ported both to UXP and Bk55 trees: https://github.com/roytam1/UXP/commit/74a4260ecd6b6e6f40d48d4b181e34127487532b https://github.com/roytam1/basilisk55/commit/a406edc82008cf5b4fba914b73929a9933065319 Both of these first landed on the 2023/10/28 respective releases ... Speaking purely for myself , I think it's a bad practice to let the browser run executables; if it's installer packages, I strongly prefer to first "properly" download to disk and then archive them; many a times I've been bitten by a new application "update" that broke things for me and had to restore the previous version via its archived setup (often times no longer retrievable from the vendor); as for the actual installation step, I tend to exit all not-needed apps (including browsers) and then manually launch the setup - perhaps I interpret the "law" very "strictly" ...
Recommended Posts