Skip to content
This repository

Cant't install scripts from local disk after updating to 0.9.14 #1501

Closed
omega32 opened this Issue · 6 comments

3 participants

omega32 arantius Ventero
omega32

Hi, I don't know if this is a new security feature or a bug.

If I update to 0.9.14 I can't install scripts dragging them from my disk to the browser anymore. Downgrading to 0.9.13 fixes the problem.

Is this a bug, or a new feature?. If so, how can I enable the local installs again. Thanks.

Ventero

This happens due to an early return in RemoteScript#_downloadFile introduced here.
If greasemonkey.fileIsGreasable is set to true, installation of local scripts works fine, so I guess the check should either be completely removed, or aURI.spec == file should always be allowed.

Edit: Even though installation works fine, it still throws an error here, since the channel doesn't support nsIHttpChannel, only nsIFileChannel which I guess should be handled more gracefully.

omega32

Thanks. Great to know.

Now... Is this the intended behavior from now on?. I thought fileIsGreasable was there to prevent scripts from running on local pages but not to block local script installations as well.

Ventero

I didn't write that code, and I can't speak for Arantius, but I'm pretty sure it's a bug.

arantius
Collaborator

Yes, that's a bug. The intent was to make sure that a malicious script could not // @resource file:///some/sensitive/stuff.txt and indirectly read your drive's contents. This check should not be made for the script itself, of course. And then probably for relative requires within such scripts. I've just tagged this issue for the next upcoming release.

arantius arantius closed this in 13d367e
arantius
Collaborator

Reporters: Please test and report whether this build fixes your issues:
https://github.com/downloads/arantius/greasemonkey/greasemonkey-0.9.15.xpi

omega32

yea, it's working now. thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.