mozilla-firefox: firefox loads external page instead of local html file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firefox (Debian) |
Fix Released
|
Unknown
|
|||
firefox (Ubuntu) |
Invalid
|
Low
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #269690 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Fri, 3 Sep 2004 00:43:21 +0200
From: Filip Van Raemdonck <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mozilla-firefox: firefox loads external page instead of local html file
Package: mozilla-firefox
Version: 0.9.3-2.2
Severity: grave
Justification: possible data exposure, unrequested online activity
I was cleaning up a system which had the Return to Castle Wolfenstein game
test release installed (the beta demo, before the actual game release)
Inside the wolftest installation directory there is a readme.html. From a
terminal window I ran "firefox wolftest2/
surprise firefox, once started, displayed an online web page; more
specifically http://
While that page seems fairly innocent, and is in fact related to at least
RTWC (and possibly the test version from the installation), firefox never
should've brought me there from that local html page. There is nothing in
the local page which should cause a redirect. In fact, when I just start
firefox without giving it a start page and then load the file locally it
displays it fine.
I quickly discovered that the above mailing list message, which firefox
displayed instead of the readme, is the #1 hit I get on google when
searching for "wolftest2".
So, obviously, firefox has problems with loading local files from the
command line when they are not in the current working directory, which,
combined with Debian bug #266962, causes the above issue. Both of these
together make up for a serious privacy flaw IMNSHO.[2]
FWIW, neither w3m (displays fine) nor mozilla (not found error) exhibit the
problematic behaviour.
Regards,
Filip
[1] That wolftest2 directory is where the demo is installed; I was in the
directory above it.
[2] Actually I consider #266962 by itself to be a serious problem; for some
reason I have not ran into it yet (is this a recent (mis-)feature? Or am
I just a decent typist which does not input incorrect URIs?) but I
definitely do not want google to collect any data on my target surfing
locations, even if they need to correct them for typos.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=C, LC_CTYPE=nl_BE@euro
Versions of packages mozilla-firefox depends on:
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii fontconfig 2.2.3-1 generic font configuration library
ii libatk1.0-0 1.6.1-3 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libfontconfig1 2.2.3-1 generic font configuration library
ii libfreetype6 2.1.7-2.2 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.1-7 GCC support library
ii libglib2.0-0 2.4.6-2 The GLib library of C routines
ii libgtk2.0-0 2.4.9-1 The GTK+ graphical user interface
ii libidl0 ...
Matt Zimmerman (mdz) wrote : | #3 |
Not RC
In Debian Bug tracker #269690, Scott Dier (dieman) wrote : Works as documented | #4 |
severity 269690 wishlist
thanks
"Usage: /usr/lib/
I find this hard to be a bug, you didn't provide a proper URL. 'text'
URL's in firefox are given off to google.
This bug does none of the following:
makes the package in question unusable or mostly so, or causes data
loss, or introduces a security hole allowing access to the accounts of
users who use the package.
Therefore, since it is closely related to the other bug -- it's merely
another place to input a URL, I'm changing it down to wishlist. It
should most likely be merged with the other bug, as this has to do with
URL handling, not a privacy issue.
--
Scott Dier <email address hidden> KC0OBS http://
"Right now we've been presented with an option that says cars now,
transit later -- maybe. That's not good enough."
-- Minneapolis Mayor R.T. Rybak.
Debian Bug Importer (debzilla) wrote : | #5 |
Message-ID: <email address hidden>
Date: Thu, 02 Sep 2004 23:44:48 -0500
From: Scott Dier <email address hidden>
To: <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Works as documented
severity 269690 wishlist
thanks
"Usage: /usr/lib/
I find this hard to be a bug, you didn't provide a proper URL. 'text'
URL's in firefox are given off to google.
This bug does none of the following:
makes the package in question unusable or mostly so, or causes data
loss, or introduces a security hole allowing access to the accounts of
users who use the package.
Therefore, since it is closely related to the other bug -- it's merely
another place to input a URL, I'm changing it down to wishlist. It
should most likely be merged with the other bug, as this has to do with
URL handling, not a privacy issue.
--
Scott Dier <email address hidden> KC0OBS http://
"Right now we've been presented with an option that says cars now,
transit later -- maybe. That's not good enough."
-- Minneapolis Mayor R.T. Rybak.
In Debian Bug tracker #269690, Helge Kreutzmann (kreutzm) wrote : Google does have privacy issues | #6 |
Hello,
I think it is *not* a good idea to fire off to any search machine if
the user in question makes an error. There is an easy technical reason
and a hard privacy reason.
A) Technical:
If I have dial-on-demand and I use firefox inappropriatley, a
unwanted dial-out happens while I would expect an error message.
The report did *not* want to search for the term, and I don't think
he wanted to search for it in case the file did not exit either.
B) Privacy:
Google does store information about its use, and since google did
go public this is a valuable knowledge now being traded. If I need
this feature, I want to turn it *on*. Remember when you first used
the web browser and filled in a form? It informed you that you
where sending possible sensitive data. I kept that window, but I
can also turn it off.
Hence it would be very sensible IMHO, if (Debian-)Firefox would pop up
an error message if the url/argument was not valid. Then document in
README.Debian, how to turn on the automatic search on google, if the
user wants it. If in doubt, choose privacy/security and document how
to get convenience, not vice versa.
I strongly disagree with the current severity level (wishlist) but
since I am neither the submitter nor the maintainer and currently do not use
firefox, I'll leave it at that. But I once reported a similar bug in
konqueror and it got quickly fixed.
Greetings
Helge
--
Helge Kreutzmann, Dipl.-Phys. <email address hidden>
gpg signed mail preferred gpg-key: finger <email address hidden>
64bit GNU powered http://
Help keep free software "libre": http://
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Fri, 3 Sep 2004 15:16:48 +0200
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Cc: Filip Van Raemdonck <email address hidden>
Subject: Google does have privacy issues
--tKW2IUtsqtDRztdT
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hello,
I think it is *not* a good idea to fire off to any search machine if
the user in question makes an error. There is an easy technical reason
and a hard privacy reason.
A) Technical:
If I have dial-on-demand and I use firefox inappropriatley, a
unwanted dial-out happens while I would expect an error message.
The report did *not* want to search for the term, and I don't think
he wanted to search for it in case the file did not exit either.
B) Privacy:
Google does store information about its use, and since google did
go public this is a valuable knowledge now being traded. If I need
this feature, I want to turn it *on*. Remember when you first used
the web browser and filled in a form? It informed you that you
where sending possible sensitive data. I kept that window, but I
can also turn it off.=20
Hence it would be very sensible IMHO, if (Debian-)Firefox would pop up
an error message if the url/argument was not valid. Then document in
README.Debian, how to turn on the automatic search on google, if the
user wants it. If in doubt, choose privacy/security and document how
to get convenience, not vice versa.
I strongly disagree with the current severity level (wishlist) but
since I am neither the submitter nor the maintainer and currently do not use
firefox, I'll leave it at that. But I once reported a similar bug in
konqueror and it got quickly fixed.
Greetings
Helge
--=20
Helge Kreutzmann, Dipl.-Phys. <email address hidden>=
er.de
gpg signed mail preferred gpg-key: finger <email address hidden>=
er.de
64bit GNU powered http://
tzm
Help keep free software "libre": http://
--tKW2IUtsqtDRztdT
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBOG7ARsx
a768WBFg1UHvrEj
=N7qM
-----END PGP SIGNATURE-----
--tKW2IUtsqtDRz
Thom May (thombot) wrote : | #8 |
Some good points in the discussion but this is not really a bug we care about
for warty.
In Debian Bug tracker #269690, rgselk (rgselknospam) wrote : Actually it is a bug in the firefox wrapper script... | #9 |
The problem is in the script /usr/bin/firefox.
After checking if the path is absolute
$RETURN_VAL is used instead of $?.
The attached patch fixes it.
mozilla-firefox 0.9.3-5
_______
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Tue, 12 Oct 2004 02:46:50 -0700 (PDT)
From: rgselk <email address hidden>
To: <email address hidden>
Subject: Actually it is a bug in the firefox wrapper script...
--0-948937446-
Content-Type: text/plain; charset=us-ascii
Content-Id:
Content-
The problem is in the script /usr/bin/firefox.
After checking if the path is absolute
$RETURN_VAL is used instead of $?.
The attached patch fixes it.
mozilla-firefox 0.9.3-5
_______
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://
--0-948937446-
Content-Type: text/plain; name="firefox.
Content-
Content-
--- firefox Fri Sep 17 03:14:08 2004
+++ firefox Tue Oct 12 11:32:30 2004
@@ -315,7 +315,7 @@
# if it doesn't begin with a '/' and it exists when the pwd is
# prepended to it then append the full path
echo $opt | grep -e '^/' 2>/dev/null > /dev/null
- if [ "${RETURN_VAL}" -ne "0" ] && [ -e "`pwd`/$opt" ]; then
+ if [ "$?" -ne "0" ] && [ -e "`pwd`/$opt" ]; then
fi
exec $MOZ_CLIENT_PROGRAM "openurl(
--0-948937446-
In Debian Bug tracker #269690, Eric Dorland (eric-debian) wrote : Fixed in upload of mozilla-firefox 0.10.1+1.0PR-2 to experimental | #11 |
tag 262062 + fixed-in-
tag 269690 + fixed-in-
tag 273353 + fixed-in-
tag 274258 + fixed-in-
tag 275563 + fixed-in-
quit
This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 17 Oct 2004 21:25:08 -0400
Source: mozilla-firefox
Binary: mozilla-
Architecture: source i386
Version: 0.10.1+1.0PR-2
Distribution: experimental
Urgency: low
Maintainer: Eric Dorland <email address hidden>
Changed-By: Eric Dorland <email address hidden>
Description:
mozilla-firefox - lightweight web browser based on Mozilla
mozilla-
mozilla-
Closes: 262062 269690 273353 274258 275563
Changes:
mozilla-firefox (0.10.1+1.0PR-2) experimental; urgency=low
.
* debian/
- Patch from Sam Morris to handle cleanup of directories with
unusual names.
- Fix return value check, patch from rgselk. (Closes: #269690)
* debian/
#275563)
* debian/rules:
- --with-gssapi=/usr, enable Negotiate extension. (Closes:
#274258)
- Enable gnomevfs support,
* debian/control:
- Build-depend on libkrb5-dev.
- Build-depend on libgnomevfs2-dev.
- New gnomevfs package, based on work by Mike Hommey. (Closes:
#262062)
* debian/
corresponding files from mozilla-
* debian/
* browser/
network.
negotiate extension over secure links.
* config/rules.mk: Tweak patch from Thiemo Seufer to include svg_doc in
non-
Files:
f991e9e91c40b6
67ff9c1d44aa94
11d0e54da212ef
75ee38d23d0eb6
e83d655c40aa9a
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBczWoYem
qcgR94RKCXEAW3s
=9qLU
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <email address hidden>
Date: Sun, 24 Oct 2004 00:53:07 -0400
From: Eric Dorland <email address hidden>
To: <email address hidden>
Cc: Eric Dorland <email address hidden>
Subject: Fixed in upload of mozilla-firefox 0.10.1+1.0PR-2 to experimental
tag 262062 + fixed-in-
tag 269690 + fixed-in-
tag 273353 + fixed-in-
tag 274258 + fixed-in-
tag 275563 + fixed-in-
quit
This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 17 Oct 2004 21:25:08 -0400
Source: mozilla-firefox
Binary: mozilla-
Architecture: source i386
Version: 0.10.1+1.0PR-2
Distribution: experimental
Urgency: low
Maintainer: Eric Dorland <email address hidden>
Changed-By: Eric Dorland <email address hidden>
Description:
mozilla-firefox - lightweight web browser based on Mozilla
mozilla-
mozilla-
Closes: 262062 269690 273353 274258 275563
Changes:
mozilla-firefox (0.10.1+1.0PR-2) experimental; urgency=low
.
* debian/
- Patch from Sam Morris to handle cleanup of directories with
unusual names.
- Fix return value check, patch from rgselk. (Closes: #269690)
* debian/
#275563)
* debian/rules:
- --with-gssapi=/usr, enable Negotiate extension. (Closes:
#274258)
- Enable gnomevfs support,
* debian/control:
- Build-depend on libkrb5-dev.
- Build-depend on libgnomevfs2-dev.
- New gnomevfs package, based on work by Mike Hommey. (Closes:
#262062)
* debian/
corresponding files from mozilla-
* debian/
* browser/
network.
negotiate extension over secure links.
* config/rules.mk: Tweak patch from Thiemo Seufer to include svg_doc in
non-
Files:
f991e9e91c40b6
67ff9c1d44aa94
11d0e54da212ef
75ee38d23d0eb6
e83d655c40aa9a
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBczWoYem
qcgR94RKCXEAW3s
=9qLU
-----END PGP SIGNATURE-----
In Debian Bug tracker #269690, Mike Hommey (mh-glandium) wrote : New upload to unstable make bugs fixed-in-experimental also fixed in unstable | #13 |
tag 274311 - fixed-in-
tag 274629 - fixed-in-
tag 275786 - fixed-in-
tag 277113 - fixed-in-
tag 273700 - fixed-in-
tag 265482 - fixed-in-
tag 275563 - fixed-in-
tag 262062 - fixed-in-
tag 265907 - fixed-in-
tag 269690 - fixed-in-
tag 274258 - fixed-in-
tag 274493 - fixed-in-
tag 275844 - fixed-in-
tag 274311 + sarge
tag 274629 + sarge
tag 275786 + sarge
tag 277113 + sarge
tag 273700 + sarge
tag 265482 + sarge
tag 275563 + sarge
tag 262062 + sarge
tag 265907 + sarge
tag 269690 + sarge
tag 274258 + sarge
tag 274493 + sarge
tag 275844 + sarge
thanks
New upload to unstable make bugs fixed-in-
unstable, thus untagging them sid if necessary, and tagging them sarge
only.
Mike
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 23:38:14 +0900
From: Mike Hommey <email address hidden>
To: <email address hidden>
Subject: New upload to unstable make bugs fixed-in-
tag 274311 - fixed-in-
tag 274629 - fixed-in-
tag 275786 - fixed-in-
tag 277113 - fixed-in-
tag 273700 - fixed-in-
tag 265482 - fixed-in-
tag 275563 - fixed-in-
tag 262062 - fixed-in-
tag 265907 - fixed-in-
tag 269690 - fixed-in-
tag 274258 - fixed-in-
tag 274493 - fixed-in-
tag 275844 - fixed-in-
tag 274311 + sarge
tag 274629 + sarge
tag 275786 + sarge
tag 277113 + sarge
tag 273700 + sarge
tag 265482 + sarge
tag 275563 + sarge
tag 262062 + sarge
tag 265907 + sarge
tag 269690 + sarge
tag 274258 + sarge
tag 274493 + sarge
tag 275844 + sarge
thanks
New upload to unstable make bugs fixed-in-
unstable, thus untagging them sid if necessary, and tagging them sarge
only.
Mike
In Debian Bug tracker #269690, Mike Hommey (mh-glandium) wrote : 1.0-2 migrated to sarge | #15 |
mozilla-firefox version 1.0-2 migrated to sarge, implying that these
bugs which were still in 0.9.3-5 but has been solved in the meanwhile,
are finally solved in sarge.
Mike
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Thu, 18 Nov 2004 11:44:13 +0900
From: Mike Hommey <email address hidden>
To: <email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>, <email address hidden>
Subject: 1.0-2 migrated to sarge
mozilla-firefox version 1.0-2 migrated to sarge, implying that these
bugs which were still in 0.9.3-5 but has been solved in the meanwhile,
are finally solved in sarge.
Mike
Changed in firefox: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #269690 http:// bugs.debian. org/269690