https://lwn.net/Articles/363568/ This is a special feed containing comments posted to the individual LWN article titled "Firefox locks down the components directory". en-us Fri, 24 Oct 2025 00:31:06 +0000 Fri, 24 Oct 2025 00:31:06 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/364241/ https://lwn.net/Articles/364241/ mlankhorst <div class="FormattedComment"> Considering it checks the file components.list what would stop anyone from<br> 'updating' that file, so their crappy plugin would still work?<br> </div> Sun, 29 Nov 2009 22:26:04 +0000 https://lwn.net/Articles/364172/ https://lwn.net/Articles/364172/ njs <div class="FormattedComment"> Sure, but IIUC chrome privileges *mean* you can do anything firefox can do, e.g. write to arbitrary files; turning this into a full-blown binary code injection is easy. JSCtypes doesn't sound like it lets you do anything you couldn't do before if you really wanted to and didn't care how much wreckage you left in your wake; it just makes it easier and supported.<br> </div> Sat, 28 Nov 2009 06:53:36 +0000 https://lwn.net/Articles/364097/ https://lwn.net/Articles/364097/ bangert <div class="FormattedComment"> except that, in the past a number of privilege escalation bugs, elevating <br> code to chrome:/ level, have been present in FF?<br> </div> Fri, 27 Nov 2009 11:33:25 +0000 https://lwn.net/Articles/363997/ https://lwn.net/Articles/363997/ zuki <em> Clearly, having executables loaded automatically at application startup simply because they are located in the components directory is a security hole, particularly when they are beyond the reach of Firefox's add-on management interface... </em> <p> To me this doesn't seem so clear - if something is able to write files in the directory containing the installed program, it already has taken over this user and it might just as well overwrite the whole program with a "special" version. No need to install extensions. <p> This does seem to be what Mike Shaver thinks (in bug <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=519357">#519357</a>):<br> <em> This isn't designed to protect against attacks on Firefox; that is a hard battle to win (though we do the hash check on every update, and pave over if there's a mismatch). This is to close off an extension mechanism that "happened to work" </em> <p> Once you are done, you're done, so not everything is a security hole. Thu, 26 Nov 2009 19:15:23 +0000 https://lwn.net/Articles/363951/ https://lwn.net/Articles/363951/ nix <div class="FormattedComment"> The docs explicitly say that it only works for chrome: I haven't checked <br> the code to see if this is enforced, but the FF hackers aren't complete <br> idiots so I suspect it is, since they went so far as to document it.<br> </div> Thu, 26 Nov 2009 14:36:11 +0000 https://lwn.net/Articles/363839/ https://lwn.net/Articles/363839/ roelofs <FONT COLOR="#880044"><I>JSCtypes is a module that exposes C-compatible external library functions to JavaScript code.</I></FONT> <P> On the face of it, that sounds very scary. Are we sure that it does so <I>only</I> for add-ons, not for embedded JS in web pages? (I don't know enough about JS in general and the specifically required Component.whatever call to be able to judge.) <P> Greg Thu, 26 Nov 2009 05:06:26 +0000