[PATCH] gnu: librewolf: Add %u to Exec option to open URLs.

Open

Details

3 participants

Ian Eure
André Batista
Roman Scherer

Owner: unassigned

Submitted by: Roman Scherer

Severity: normal

Roman Scherer wrote 2 days ago

Recipients:(address . guix-patches@gnu.org)(name . Roman Scherer)(address . roman@burningswell.com)

Message-ID:dd246aacd5131efa0133601d89dc0f63479ab035.1733138991.git.roman@burningswell.com

* gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open URLs.

Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd

---

gnu/packages/librewolf.scm | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (17 lines)diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 5d432cfad8..42d212e9f9 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -605,7 +605,7 @@ (define-public librewolf
                          (substitute* desktop-file
                            (("^Exec=@MOZ_APP_NAME@")
                             (string-append "Exec="
-                                           #$output "/bin/librewolf"))
+                                           #$output "/bin/librewolf %u"))
                            (("@MOZ_APP_DISPLAYNAME@")
                             "LibreWolf")
                            (("@MOZ_APP_REMOTINGNAME@")

base-commit: 2756c660fb2d9e2fe3e1fd0898e4d7038c8273c7
-- 
2.46.0

André Batista wrote 2 days ago

Recipients:(name . Roman Scherer)(address . roman@burningswell.com)

Message-ID:Z03EuKjzXIjcte6_@andel

Hi Roman,

seg 02 dez 2024 ï¿½s 13:20:20 (1733156420), roman@burningswell.com enviou:

Toggle quote (20 lines)> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open URLs.
> 
> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
> ---
>  gnu/packages/librewolf.scm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
> index 5d432cfad8..42d212e9f9 100644
> --- a/gnu/packages/librewolf.scm
> +++ b/gnu/packages/librewolf.scm
> @@ -605,7 +605,7 @@ (define-public librewolf
>                           (substitute* desktop-file
>                             (("^Exec=@MOZ_APP_NAME@")
>                              (string-append "Exec="
> -                                           #$output "/bin/librewolf"))
> +                                           #$output "/bin/librewolf %u"))
>                             (("@MOZ_APP_DISPLAYNAME@")
> 

This was its previous state and was removed on commit

280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.

Copying Ian, who was the author of that change and has been maintaining

Librewolf.

Cheers!

Roman Scherer wrote 2 days ago

Recipients:(name . André Batista)(address . nandre@riseup.net)

Message-ID:875xo2f6ii.fsf@burningswell.com

André Batista <nandre@riseup.net> writes:

Hi André,

thanks for taking a look. So this is fixing a security issue? Which one

exactly? Is it this one?

CVE-2024-10462: Origin of permission prompt could be spoofed by long URL

Are we planning todo the same for Icecat? If so, could we have a variant

of the browsers in Guix that are less hardened, and would allow opening

URLs?

I'm using Slack via Flatpack and not being able to open URLs from there

or other applications with my browser is a bit tedious.

Roman

Toggle quote (30 lines)> Hi Roman,
>
> seg 02 dez 2024 às 13:20:20 (1733156420), roman@burningswell.com enviou:
>> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open URLs.
>>
>> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
>> ---
>>  gnu/packages/librewolf.scm | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
>> index 5d432cfad8..42d212e9f9 100644
>> --- a/gnu/packages/librewolf.scm
>> +++ b/gnu/packages/librewolf.scm
>> @@ -605,7 +605,7 @@ (define-public librewolf
>>                           (substitute* desktop-file
>>                             (("^Exec=@MOZ_APP_NAME@")
>>                              (string-append "Exec="
>> -                                           #$output "/bin/librewolf"))
>> +                                           #$output "/bin/librewolf %u"))
>>                             (("@MOZ_APP_DISPLAYNAME@")
>>
>
> This was its previous state and was removed on commit
> 280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.
>
> Copying Ian, who was the author of that change and has been maintaining
> Librewolf.
>
> Cheers!

Ian Eure wrote 2 days ago

Recipients:(name . Roman Scherer)(address . roman@burningswell.com)

Message-ID:87cyiam4iz.fsf@retrospec.tv

Hi Roman, André,

Roman Scherer <roman@burningswell.com> writes:

Toggle quote (9 lines)

> André Batista <nandre@riseup.net> writes:

> Hi André,

> thanks for taking a look. So this is fixing a security issue?

> Which one

> exactly? Is it this one?

This isn’t a security issue, the concern was created in a change

which also had security updates. The current nature of the

browser ecosystem means nearly every Firefox update contains

security fixes, so presence of them isn’t a very useful signal.

Toggle quote (37 lines)>
>> Hi Roman,
>>
>> seg 02 dez 2024 às 13:20:20 (1733156420), 
>> roman@burningswell.com enviou:
>>> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec 
>>> option to open URLs.
>>>
>>> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
>>> ---
>>>  gnu/packages/librewolf.scm | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/gnu/packages/librewolf.scm 
>>> b/gnu/packages/librewolf.scm
>>> index 5d432cfad8..42d212e9f9 100644
>>> --- a/gnu/packages/librewolf.scm
>>> +++ b/gnu/packages/librewolf.scm
>>> @@ -605,7 +605,7 @@ (define-public librewolf
>>>                           (substitute* desktop-file
>>>                             (("^Exec=@MOZ_APP_NAME@")
>>>                              (string-append "Exec="
>>> -                                           #$output 
>>> "/bin/librewolf"))
>>> +                                           #$output 
>>> "/bin/librewolf %u"))
>>>                             (("@MOZ_APP_DISPLAYNAME@")
>>>
>>
>> This was its previous state and was removed on commit
>> 280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.
>>
>> Copying Ian, who was the author of that change and has been 
>> maintaining
>> Librewolf.
>>

The context behind this change is that Firefox used to ship a

taskcluster/docker/firefox-snap/firefox.desktop file which had an

Exec line like this:

Exec=@MOZ_APP_NAME@ %u

The Guix package would use that file, replacing the token with the

path to the binary. The presence of %u in the package definition

is because the substitute* regexp is sloppy and replaces the whole

line instead of @MOZ_APP_NAME@ only. For reasons unknown to me,

Firefox stopped shipping this file and deleted it from their repo.

I looked around the repo and found

toolkit/mozapps/installer/linux/rpm/mozilla.desktop, for the rpm

package. Its Exec line is:

Exec=@MOZ_APP_NAME@

So I updated the package to use that, and the regexp to match.

The patch in #74648 looks fine to me, and I think it should be

pushed.

Thanks,

— Ian

Roman Scherer wrote 34 hours ago

Recipients:(name . Ian Eure)(address . ian@retrospec.tv)

Message-ID:87zflddsfa.fsf@burningswell.com

Ian Eure <ian@retrospec.tv> writes:

Ok, thanks for the summary Ian. Looking forward for the patch to be

applied.

Thanks, Roman.

Toggle quote (79 lines)> Hi Roman, André,
>
> Roman Scherer <roman@burningswell.com> writes:
>
>> André Batista <nandre@riseup.net> writes:
>>
>> Hi André,
>>
>> thanks for taking a look. So this is fixing a security issue? Which
>> one
>> exactly? Is it this one?
>>
>
> This isn’t a security issue, the concern was created in a change which
> also had security updates.  The current nature of the browser
> ecosystem means nearly every Firefox update contains security fixes,
> so presence of them isn’t a very useful signal.
>
>>
>>> Hi Roman,
>>>
>>> seg 02 dez 2024 às 13:20:20 (1733156420), roman@burningswell.com
>>> enviou:
>>>> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to
>>>> open URLs.
>>>>
>>>> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
>>>> ---
>>>>  gnu/packages/librewolf.scm | 2 +-
>>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/gnu/packages/librewolf.scm
>>>> b/gnu/packages/librewolf.scm
>>>> index 5d432cfad8..42d212e9f9 100644
>>>> --- a/gnu/packages/librewolf.scm
>>>> +++ b/gnu/packages/librewolf.scm
>>>> @@ -605,7 +605,7 @@ (define-public librewolf
>>>>                           (substitute* desktop-file
>>>>                             (("^Exec=@MOZ_APP_NAME@")
>>>>                              (string-append "Exec="
>>>> -                                           #$output
>>>> "/bin/librewolf"))
>>>> +                                           #$output
>>>> "/bin/librewolf %u"))
>>>>                             (("@MOZ_APP_DISPLAYNAME@")
>>>>
>>>
>>> This was its previous state and was removed on commit
>>> 280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.
>>>
>>> Copying Ian, who was the author of that change and has been
>>> maintaining
>>> Librewolf.
>>>
>
> The context behind this change is that Firefox used to ship a
> taskcluster/docker/firefox-snap/firefox.desktop file which had an Exec
> line like this:
>
>    Exec=@MOZ_APP_NAME@ %u
>
> The Guix package would use that file, replacing the token with the
> path to the binary.  The presence of %u in the package definition is
> because the substitute* regexp is sloppy and replaces the whole line
> instead of @MOZ_APP_NAME@ only.  For reasons unknown to me, Firefox
> stopped shipping this file and deleted it from their repo. I looked
> around the repo and found
> toolkit/mozapps/installer/linux/rpm/mozilla.desktop, for the rpm
> package.  Its Exec line is:
>
>    Exec=@MOZ_APP_NAME@
>
> So I updated the package to use that, and the regexp to match.
>
> The patch in #74648 looks fine to me, and I think it should be pushed.
>
> Thanks,
>
>  — Ian

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 74648@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 74648

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date