Closed
Bug 1379100
Opened 7 years ago
Closed 6 years ago
Simplify symlink reversal by pretending they don't exist
Categories
(Core :: Security: Process Sandboxing, enhancement, P3)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: gcp, Unassigned)
References
Details
(Whiteboard: sb+)
Jed Davis suggested in bug 1308400:
"It occurs to me that we don't need to let the client normalize the path in the first place — we can return `EINVAL` (not a symlink) instead. The question then is whether there are any cases where we still need to do an actual `readlink`, given that we can `realpath` on the server side if we need to."
There's a few tricks here, and bug 1290896 might come back to us, but it's worth a shot.
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
As soon as stat() lies about the existence of symlinks, some tests like dom/xhr/tests/browser_blobFromFile.js start failing. It's not very clear to me why that is the case because there's no clear error - the test just times out.
|
||
Updated•7 years ago
|
Whiteboard: sb+
|
|
||
Updated•7 years ago
|
Priority: -- → P3
|
|
Reporter | |
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•