[bug#74648] gnu: librewolf: Add %u to Exec option to open URLs.

Message ID dd246aacd5131efa0133601d89dc0f63479ab035.1733138991.git.roman@burningswell.com
State New
Headers
Series [bug#74648] gnu: librewolf: Add %u to Exec option to open URLs. |

Commit Message

Roman Scherer Dec. 2, 2024, 12:20 p.m. UTC
  * gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open URLs.

Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
---
 gnu/packages/librewolf.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


base-commit: 2756c660fb2d9e2fe3e1fd0898e4d7038c8273c7
  

Comments

André Batista Dec. 2, 2024, 2:31 p.m. UTC | #1
Hi Roman,

seg 02 dez 2024 às 13:20:20 (1733156420), roman@burningswell.com enviou:
> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open URLs.
> 
> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
> ---
>  gnu/packages/librewolf.scm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
> index 5d432cfad8..42d212e9f9 100644
> --- a/gnu/packages/librewolf.scm
> +++ b/gnu/packages/librewolf.scm
> @@ -605,7 +605,7 @@ (define-public librewolf
>                           (substitute* desktop-file
>                             (("^Exec=@MOZ_APP_NAME@")
>                              (string-append "Exec="
> -                                           #$output "/bin/librewolf"))
> +                                           #$output "/bin/librewolf %u"))
>                             (("@MOZ_APP_DISPLAYNAME@")
> 

This was its previous state and was removed on commit
280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.

Copying Ian, who was the author of that change and has been maintaining
Librewolf.

Cheers!
  
Roman Scherer Dec. 2, 2024, 3:29 p.m. UTC | #2
André Batista <nandre@riseup.net> writes:

Hi André,

thanks for taking a look. So this is fixing a security issue? Which one
exactly? Is it this one?

CVE-2024-10462: Origin of permission prompt could be spoofed by long URL

Are we planning todo the same for Icecat? If so, could we have a variant
of the browsers in Guix that are less hardened, and would allow opening
URLs?

I'm using Slack via Flatpack and not being able to open URLs from there
or other applications with my browser is a bit tedious.

Roman

> Hi Roman,
>
> seg 02 dez 2024 às 13:20:20 (1733156420), roman@burningswell.com enviou:
>> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to open URLs.
>>
>> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
>> ---
>>  gnu/packages/librewolf.scm | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
>> index 5d432cfad8..42d212e9f9 100644
>> --- a/gnu/packages/librewolf.scm
>> +++ b/gnu/packages/librewolf.scm
>> @@ -605,7 +605,7 @@ (define-public librewolf
>>                           (substitute* desktop-file
>>                             (("^Exec=@MOZ_APP_NAME@")
>>                              (string-append "Exec="
>> -                                           #$output "/bin/librewolf"))
>> +                                           #$output "/bin/librewolf %u"))
>>                             (("@MOZ_APP_DISPLAYNAME@")
>>
>
> This was its previous state and was removed on commit
> 280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.
>
> Copying Ian, who was the author of that change and has been maintaining
> Librewolf.
>
> Cheers!
  
Ian Eure Dec. 2, 2024, 4:30 p.m. UTC | #3
Hi Roman, André,

Roman Scherer <roman@burningswell.com> writes:

> André Batista <nandre@riseup.net> writes:
>
> Hi André,
>
> thanks for taking a look. So this is fixing a security issue? 
> Which one
> exactly? Is it this one?
>

This isn’t a security issue, the concern was created in a change 
which also had security updates.  The current nature of the 
browser ecosystem means nearly every Firefox update contains 
security fixes, so presence of them isn’t a very useful signal.

>
>> Hi Roman,
>>
>> seg 02 dez 2024 às 13:20:20 (1733156420), 
>> roman@burningswell.com enviou:
>>> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec 
>>> option to open URLs.
>>>
>>> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
>>> ---
>>>  gnu/packages/librewolf.scm | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/gnu/packages/librewolf.scm 
>>> b/gnu/packages/librewolf.scm
>>> index 5d432cfad8..42d212e9f9 100644
>>> --- a/gnu/packages/librewolf.scm
>>> +++ b/gnu/packages/librewolf.scm
>>> @@ -605,7 +605,7 @@ (define-public librewolf
>>>                           (substitute* desktop-file
>>>                             (("^Exec=@MOZ_APP_NAME@")
>>>                              (string-append "Exec="
>>> -                                           #$output 
>>> "/bin/librewolf"))
>>> +                                           #$output 
>>> "/bin/librewolf %u"))
>>>                             (("@MOZ_APP_DISPLAYNAME@")
>>>
>>
>> This was its previous state and was removed on commit
>> 280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.
>>
>> Copying Ian, who was the author of that change and has been 
>> maintaining
>> Librewolf.
>>

The context behind this change is that Firefox used to ship a 
taskcluster/docker/firefox-snap/firefox.desktop file which had an 
Exec line like this:

    Exec=@MOZ_APP_NAME@ %u

The Guix package would use that file, replacing the token with the 
path to the binary.  The presence of %u in the package definition 
is because the substitute* regexp is sloppy and replaces the whole 
line instead of @MOZ_APP_NAME@ only.  For reasons unknown to me, 
Firefox stopped shipping this file and deleted it from their repo. 
I looked around the repo and found 
toolkit/mozapps/installer/linux/rpm/mozilla.desktop, for the rpm 
package.  Its Exec line is:

    Exec=@MOZ_APP_NAME@

So I updated the package to use that, and the regexp to match.

The patch in #74648 looks fine to me, and I think it should be 
pushed.

Thanks,

  — Ian
  
Roman Scherer Dec. 3, 2024, 9:31 a.m. UTC | #4
Ian Eure <ian@retrospec.tv> writes:

Ok, thanks for the summary Ian. Looking forward for the patch to be
applied.

Thanks, Roman.

> Hi Roman, André,
>
> Roman Scherer <roman@burningswell.com> writes:
>
>> André Batista <nandre@riseup.net> writes:
>>
>> Hi André,
>>
>> thanks for taking a look. So this is fixing a security issue? Which
>> one
>> exactly? Is it this one?
>>
>
> This isn’t a security issue, the concern was created in a change which
> also had security updates.  The current nature of the browser
> ecosystem means nearly every Firefox update contains security fixes,
> so presence of them isn’t a very useful signal.
>
>>
>>> Hi Roman,
>>>
>>> seg 02 dez 2024 às 13:20:20 (1733156420), roman@burningswell.com
>>> enviou:
>>>> * gnu/packages/librewolf.scm (librewolf): Add %u to Exec option to
>>>> open URLs.
>>>>
>>>> Change-Id: I8cf5d3886eaf7805209cf12eae0cc875bef6d5dd
>>>> ---
>>>>  gnu/packages/librewolf.scm | 2 +-
>>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/gnu/packages/librewolf.scm
>>>> b/gnu/packages/librewolf.scm
>>>> index 5d432cfad8..42d212e9f9 100644
>>>> --- a/gnu/packages/librewolf.scm
>>>> +++ b/gnu/packages/librewolf.scm
>>>> @@ -605,7 +605,7 @@ (define-public librewolf
>>>>                           (substitute* desktop-file
>>>>                             (("^Exec=@MOZ_APP_NAME@")
>>>>                              (string-append "Exec="
>>>> -                                           #$output
>>>> "/bin/librewolf"))
>>>> +                                           #$output
>>>> "/bin/librewolf %u"))
>>>>                             (("@MOZ_APP_DISPLAYNAME@")
>>>>
>>>
>>> This was its previous state and was removed on commit
>>> 280aa6b57d7b741a7d8b076e1afa3dff23569332. See also #74070.
>>>
>>> Copying Ian, who was the author of that change and has been
>>> maintaining
>>> Librewolf.
>>>
>
> The context behind this change is that Firefox used to ship a
> taskcluster/docker/firefox-snap/firefox.desktop file which had an Exec
> line like this:
>
>    Exec=@MOZ_APP_NAME@ %u
>
> The Guix package would use that file, replacing the token with the
> path to the binary.  The presence of %u in the package definition is
> because the substitute* regexp is sloppy and replaces the whole line
> instead of @MOZ_APP_NAME@ only.  For reasons unknown to me, Firefox
> stopped shipping this file and deleted it from their repo. I looked
> around the repo and found
> toolkit/mozapps/installer/linux/rpm/mozilla.desktop, for the rpm
> package.  Its Exec line is:
>
>    Exec=@MOZ_APP_NAME@
>
> So I updated the package to use that, and the regexp to match.
>
> The patch in #74648 looks fine to me, and I think it should be pushed.
>
> Thanks,
>
>  — Ian
  
Sharlatan Hellseher Dec. 11, 2024, 8:29 p.m. UTC | #5
Hi,

Pushed with updated commit message as
dc2df5b86942e70c4d9f24533f6609153e9b2889 to master.

--
Oleg
  

Patch

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 5d432cfad8..42d212e9f9 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -605,7 +605,7 @@  (define-public librewolf
                          (substitute* desktop-file
                            (("^Exec=@MOZ_APP_NAME@")
                             (string-append "Exec="
-                                           #$output "/bin/librewolf"))
+                                           #$output "/bin/librewolf %u"))
                            (("@MOZ_APP_DISPLAYNAME@")
                             "LibreWolf")
                            (("@MOZ_APP_REMOTINGNAME@")