Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cant't install scripts from local disk after updating to 0.9.14 #1501

Closed
omega32 opened this issue Jan 23, 2012 · 6 comments

Comments

Projects
None yet
3 participants
@omega32
Copy link

commented Jan 23, 2012

Hi, I don't know if this is a new security feature or a bug.

If I update to 0.9.14 I can't install scripts dragging them from my disk to the browser anymore. Downgrading to 0.9.13 fixes the problem.

Is this a bug, or a new feature?. If so, how can I enable the local installs again. Thanks.

@Ventero

This comment has been minimized.

Copy link
Contributor

commented Jan 23, 2012

This happens due to an early return in RemoteScript#_downloadFile introduced here.
If greasemonkey.fileIsGreasable is set to true, installation of local scripts works fine, so I guess the check should either be completely removed, or aURI.spec == file should always be allowed.

Edit: Even though installation works fine, it still throws an error here, since the channel doesn't support nsIHttpChannel, only nsIFileChannel which I guess should be handled more gracefully.

@omega32

This comment has been minimized.

Copy link
Author

commented Jan 23, 2012

Thanks. Great to know.

Now... Is this the intended behavior from now on?. I thought fileIsGreasable was there to prevent scripts from running on local pages but not to block local script installations as well.

@Ventero

This comment has been minimized.

Copy link
Contributor

commented Jan 23, 2012

I didn't write that code, and I can't speak for Arantius, but I'm pretty sure it's a bug.

@arantius

This comment has been minimized.

Copy link
Collaborator

commented Jan 23, 2012

Yes, that's a bug. The intent was to make sure that a malicious script could not // @resource file:///some/sensitive/stuff.txt and indirectly read your drive's contents. This check should not be made for the script itself, of course. And then probably for relative requires within such scripts. I've just tagged this issue for the next upcoming release.

@arantius arantius closed this in 13d367e Jan 25, 2012

@arantius

This comment has been minimized.

Copy link
Collaborator

commented Jan 25, 2012

Reporters: Please test and report whether this build fixes your issues:
https://github.com/downloads/arantius/greasemonkey/greasemonkey-0.9.15.xpi

@omega32

This comment has been minimized.

Copy link
Author

commented Jan 25, 2012

yea, it's working now. thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.