This removes all .flake8 files except for the one at the root of the repo.
Instead we use the new 'per-file-ignores' config introduced in 3.7. To ignore
specific errors in a subdirectory, add a line like this to the root .flake8:
[per-file-ignores]
path/to/subdir/*: E100, F200, ...
The reasons for this change are:
1. Unblock flake8 blacklist (bug 1367092).
2. Simplify configuration and code.
3. Encourage more consistent styling.
4. Improve performance.
5. Greater editor consistency.
Differential Revision: https://phabricator.services.mozilla.com/D18354
--HG--
extra : moz-landing-system : lando
This bumps flake8 to version 3.7.5.
This also ignores the new lint rules that were added in the new versions.
These rules are de-marked via comment so we know that they should be enabled at
some point (as opposed to the other rules that are (presumably) ignored
intentionally.
Differential Revision: https://phabricator.services.mozilla.com/D18353
--HG--
extra : moz-landing-system : lando
In bug 1525191, the test certificates expired again. While regenerating them is
almost as simple as running a script, there were some manual test changes that
had to happen to get the tests passing again. This patch fixes up those tests so
that they shouldn't need changing the next time we regenerate the certificates.
Differential Revision: https://phabricator.services.mozilla.com/D18891
--HG--
extra : moz-landing-system : lando
For cases where the class has direct calls (that is, we cast `this` to the
subclass before making the call) no longer declare Recv/Answer methods on the
base class at all. This should ensure that slots for them are not generated in
vtables, and also allow the derived class to choose the method signature (e.g.
whether it wants to take something by reference or by value).
Differential Revision: https://phabricator.services.mozilla.com/D18132
--HG--
extra : moz-landing-system : lando
Summary:
Scripts:
https://gist.github.com/jcjones/b25e07de3a48c3ed084f0f9e26911693
# From the above gist
./jcj-regenerate-certspecs
# This is a DER form, not a PEM.
openssl x509 -in security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem -outform der > security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der
rm security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem
# These don't seem to be checked in
rm services/common/tests/unit/test_blocklist_signatures/*.pem
Reviewers: ccoroiu
Bug #: 1525191
Differential Revision: https://phabricator.services.mozilla.com/D18638
--HG--
extra : histedit_source : f6e29ef6f3d012e42cda980abbb13bc4276702d6
Before this patch, if the enterprise roots feature were enabled, nsNSSComponent
would gather any such roots and temporarily import them into NSS so that
CertVerifier could use them during path building and trust querying. This turned
out to be problematic in part because doing so would require unlocking the
user's key DB if they had a password. This patch implements a scheme whereby
nsNSSComponent can give these extra roots directly to CertVerifier, thus
bypassing NSS and any need to unlock/modify any DBs. This should also provide a
path forward for other improvements such as not repeatedly searching through all
certificates on all tokens, which has inefficiencies (see e.g. bug 1478148).
Differential Revision: https://phabricator.services.mozilla.com/D18156
--HG--
extra : moz-landing-system : lando
Whitelist the /Library and ~/Library ColorSync profile directories allowing gfx.color_management.display_profile to be used to load color profiles from those locations.
Differential Revision: https://phabricator.services.mozilla.com/D18390
--HG--
extra : moz-landing-system : lando
The sandbox already permits the process to create/delete the folder and access files in it. This patch gives is access to the folder itself, namely it allows NtQueryAttributesFile to evaluate it. For complex reasons, this fixes Flash's ability to store local objects (see AS3's SharedObject API).
Differential Revision: https://phabricator.services.mozilla.com/D18299
--HG--
extra : moz-landing-system : lando
The Family Safety TLS interception feature is seldom used and security-wise is
essentially equivalent to the enterprise or third-party roots feature. To
simplify future improvements, this patch folds them together by automatically
importing third-party roots if Firefox detects that the Family Safety TLS
interception feature has been enabled. This affects Windows 8.1 only. When
usage of Windows 8.1 is low enough, we will remove the feature altogether.
Differential Revision: https://phabricator.services.mozilla.com/D16727
--HG--
extra : moz-landing-system : lando
This stops the use of some win32k calls during start-up that will fail and in
some cases cause a crash.
It also moves the MITIGATION_DYNAMIC_CODE_DISABLE to be enabled after start-up.
This is required because the hooks to fake the user32 and gdi32 initialization
are applied as the DLLs load and the dynamic code disable blocks that.
Add "(with no-log)" to the iokit-get-properties and other extra deny types in the content and GMP sandbox profiles.
Differential Revision: https://phabricator.services.mozilla.com/D17285
--HG--
extra : moz-landing-system : lando
NSS 3.42 added a new build flag, enable_sslkeylogfile, to toggle the
availability of the SSLKEYLOGFILE variable (see Bug 1515236 and Bug 1519209).
Differential Revision: https://phabricator.services.mozilla.com/D17588
--HG--
extra : moz-landing-system : lando
***
Bug 1514594: Part 3a - Change ChromeUtils.import to return an exports object; not pollute global. r=mccr8
This changes the behavior of ChromeUtils.import() to return an exports object,
rather than a module global, in all cases except when `null` is passed as a
second argument, and changes the default behavior not to pollute the global
scope with the module's exports. Thus, the following code written for the old
model:
ChromeUtils.import("resource://gre/modules/Services.jsm");
is approximately the same as the following, in the new model:
var {Services} = ChromeUtils.import("resource://gre/modules/Services.jsm");
Since the two behaviors are mutually incompatible, this patch will land with a
scripted rewrite to update all existing callers to use the new model rather
than the old.
***
Bug 1514594: Part 3b - Mass rewrite all JS code to use the new ChromeUtils.import API. rs=Gijs
This was done using the followng script:
https://bitbucket.org/kmaglione/m-c-rewrites/src/tip/processors/cu-import-exports.jsm
***
Bug 1514594: Part 3c - Update ESLint plugin for ChromeUtils.import API changes. r=Standard8
Differential Revision: https://phabricator.services.mozilla.com/D16747
***
Bug 1514594: Part 3d - Remove/fix hundreds of duplicate imports from sync tests. r=Gijs
Differential Revision: https://phabricator.services.mozilla.com/D16748
***
Bug 1514594: Part 3e - Remove no-op ChromeUtils.import() calls. r=Gijs
Differential Revision: https://phabricator.services.mozilla.com/D16749
***
Bug 1514594: Part 3f.1 - Cleanup various test corner cases after mass rewrite. r=Gijs
***
Bug 1514594: Part 3f.2 - Cleanup various non-test corner cases after mass rewrite. r=Gijs
Differential Revision: https://phabricator.services.mozilla.com/D16750
--HG--
extra : rebase_source : 359574ee3064c90f33bf36c2ebe3159a24cc8895
extra : histedit_source : b93c8f42808b1599f9122d7842d2c0b3e656a594%2C64a3a4e3359dc889e2ab2b49461bab9e27fc10a7
For sandbox early startup, ensure violation logging is only enabled when the parent passes the -sbLogging flag.
Differential Revision: https://phabricator.services.mozilla.com/D17013
--HG--
extra : moz-landing-system : lando
In Bug 1462100 we started casting to void* because mingw doesn't do
automatic conversions like MSVC does. In Bug 1498695 I backed out that
change because I (mistakenly) thought it wasn't necessary for mingw-clang
when in actuality, I simply wasn't hitting the code path due to
SANDBOX_EXPORTS being defined.
Since we want to _not_ define SANDBOX_EXPORTS I need to put the original
patch back in place.
--HG--
extra : amend_source : a26eec746e7881fa88b963c8dd3c1fa900b6a8b6
Before this patch, NSSCertDBTrustDomain::FindIssuer would iterate over its
candidate list (a CERTCertList) twice. This would have made it difficult to add
in candidate issuers from other sources (see e.g. bug 1514118, wherein the goal
is to bypass NSS' view of what certificates exist to facilitate third
party/enterprise roots). This patch reorganizes this function to make future
improvements easier.
Differential Revision: https://phabricator.services.mozilla.com/D16341
--HG--
extra : moz-landing-system : lando
As originally written, the keychain-backed secret storing implementation would
not overwrite a secret if prompted to generate or recover one with a label that
was already in use. Since libsecret and credential manager both do this by
default, this change makes the keychain-backed implementation behave the same
way.
Differential Revision: https://phabricator.services.mozilla.com/D15697
--HG--
extra : moz-landing-system : lando
Only STATE_SECURE_HIGH is used, and that's only in instances where
STATE_IS_SECURE is also used, so we can remove the security level
flags and just assume STATE_IS_SECURE is also STATE_SECURE_HIGH.
Differential Revision: https://phabricator.services.mozilla.com/D15600
--HG--
extra : moz-landing-system : lando
Enough linux-based systems don't have libsecret that we can't make it a
requirement on linux. For those that do, however, we can dynamically load the
library at runtime. For those that don't, we can fall back to NSS.
Differential Revision: https://phabricator.services.mozilla.com/D9969
--HG--
extra : moz-landing-system : lando
Allow access to device-id and vendor-id IOKit properties needed for AppleIntelHD3000GraphicsGLDriver.
Fixes a crash in the AppleIntelHD3000GraphicsGLDriver userland driver which is used in some 2011-era Macs.
Differential Revision: https://phabricator.services.mozilla.com/D15528
--HG--
extra : moz-landing-system : lando
This collects SSL_TIME_UNTIL_HANDSHAKE_FINISHED dependent on the key group used. This is nice to have in general and especially for the ecdhe-sidh thing.
Differential Revision: https://phabricator.services.mozilla.com/D13524
--HG--
extra : moz-landing-system : lando
In Bug 1499846 we added support for OSX to do Keychain-based reauthentication.
On newer versions of OSX, it's possible to instead do TouchID/FaceID for bio-
metric reauthentication, with a fallback to Keychain.
This implements that functionality. There's no C++ interface to access the
LocalAuthentication framework, so it adds an Objective-C method called by the
existing OSReauthenticator methods to perform its work.
Differential Revision: https://phabricator.services.mozilla.com/D11700
--HG--
extra : moz-landing-system : lando
This is a best effort attempt at ensuring that the adverse impact of
reformatting the entire tree over the comments would be minimal. I've used a
combination of strategies including disabling of formatting, some manual
formatting and some changes to formatting to work around some clang-format
limitations.
Differential Revision: https://phabricator.services.mozilla.com/D13371
--HG--
extra : moz-landing-system : lando
DecodeInclusionProof as originally implemented used the wrong convention - its
input argument should have always been an Input rather than a Reader.
Differential Revision: https://phabricator.services.mozilla.com/D11811
--HG--
extra : moz-landing-system : lando
The original implementation of Certificate Transparency included a definition
for the first version of the Signed Tree Head data structure but it was never
actually used. Now that we're implementing Binary Transparency, we need to
implement support for Signed Tree Head V2. Because the focus and approach are
different, the first step is to remove the original implementation.
Differential Revision: https://phabricator.services.mozilla.com/D11810
--HG--
extra : moz-landing-system : lando
The tables in SandboxFilterUtil.cpp should remain vertically aligned,
but clang-format would disagree. This patch excludes that region from
reformatting, and applies the other changes that clang-format would make
there.
Differential Revision: https://phabricator.services.mozilla.com/D12499
--HG--
extra : moz-landing-system : lando
Until more analysis is done, add back access to com.apple.CoreServices.coreservicesd to avoid extra allocations that are triggered when the service is blocked.
Differential Revision: https://phabricator.services.mozilla.com/D12479
--HG--
extra : moz-landing-system : lando
We shouldn't reenter DataStorageSharedThread::Shutdown(), but it may be
possible. To guard against potentially attempting to shut down the shared thread
more than once, we can check gDataStorageSharedThreadShutDown first.
Differential Revision: https://phabricator.services.mozilla.com/D12050
--HG--
extra : moz-landing-system : lando
This adds a hard coded number of retries for Windos re-auth.
I also changed to always return NS_OK unless a real error occurred to make this behave like the macOS version.
Differential Revision: https://phabricator.services.mozilla.com/D11438
--HG--
extra : moz-landing-system : lando
Judging by some stack traces we've received in crash reports, while shutting
down the DataStorageSharedThread, it is possible to process an event on that
thread that causes an attempt to re-initialize DataStorage. This wouldn't be a
problem because we have a shutdown sentinel boolean and we exit early if it is
true. However, checking the boolean involves acquiring the static lock for the
thread, which means we can't be holding the lock while we're shutting down the
thread.
Differential Revision: https://phabricator.services.mozilla.com/D11708
--HG--
extra : moz-landing-system : lando
Don't start the sandbox until after the port exchange so the parent process does not have to wait longer in ContentParent::LaunchSubprocess() for the (expensive) sandbox_init_with_parameters call to complete in the child. Remove the policy rule allowing access to the parent port now that it is already open when the sandbox is initialized and therefore not needed.
Differential Revision: https://phabricator.services.mozilla.com/D11186
--HG--
extra : moz-landing-system : lando
mingw-clang, when using SEH exceptions, compile these fine but don't unwind
them properly. When using sj/lj exceptions it can't compile them at all.
--HG--
extra : histedit_source : 4bda121d4d60ab6e7cf51a3d4287261c81904fe2
Add the /private/var directory to the list of file-read-metadata paths to avoid rendering issues on macOS 10.14 when sandbox early startup is enabled.
Differential Revision: https://phabricator.services.mozilla.com/D9933
--HG--
extra : moz-landing-system : lando
The original threading model of OSKeyStore could lead to a deadlock if an
asynchronous event were dispatched and then the isNSSKeyStore attribute were
queried. This patch removes that pitfall by moving the determination of the
attribute to OSKeyStore rather than the underlying implementation.
Additionally, the original threading model was inefficient in that it created
and destroyed a thread per asynchronous operation. This patch reworks this to
only ever create one worker thread.
Differential Revision: https://phabricator.services.mozilla.com/D9299
--HG--
extra : moz-landing-system : lando
In bug 1475775, we added code to remove the old NSS key DB if the user has set a
password on the grounds that the old DB could potentially be unencrypted and
contain secrets. However, we did so with the assumption that we were using the
new DB, which is not necessarily true when the system has been configured to
always use the old DB, as with some RedHat products. This patch checks for the
existence of the new DB before proceeding with deleting the old DB. Technically
this isn't sufficient, because the new DB could be present even if we're not
using it. However, we've already gone far into "this configuration isn't
supported" territory.
Differential Revision: https://phabricator.services.mozilla.com/D9318
--HG--
extra : moz-landing-system : lando
This patch morphs MasterPassword.jsm to OSKeyStore.jsm while keeping the same
API, as an adaptor between the API and the native API exposed as nsIOSKeyStore.idl.
Noted that OS Key Store has the concept of "recovery phrase" that we won't
be adopting here. The recovery phrase, together with our label, allow
the user to re-create the same key in OS key store.
Test case changes are needed because we have started asking for login in
places where we'll only do previously when "master password is enabled".
This also made some "when master password is enabled" tests invalid because
it is always considered enabled.
Some more test changes are needed simply because they previously rely on the
stable order of microtask resolutions (and the stable # of promises for a
specific operation). That has certainly changed with OSKeyStore.
The credit card form autofill is only enabled on Nightly.
Differential Revision: https://phabricator.services.mozilla.com/D4498
--HG--
rename : browser/extensions/formautofill/MasterPassword.jsm => browser/extensions/formautofill/OSKeyStore.jsm
rename : browser/extensions/formautofill/test/browser/browser_creditCard_fill_master_password.js => browser/extensions/formautofill/test/browser/browser_creditCard_fill_cancel_login.js
extra : rebase_source : cabbd8cdec86e5b3965cf1c8b6e635b73b6c2095
extra : histedit_source : 65e71057104465553fefa1d0b293580efed53075
Only allow access to "com.apple.windowserver.active" when the pref
"security.sandbox.content.mac.disconnect-windowserver" is set to true.
Depends on D6721
Differential Revision: https://phabricator.services.mozilla.com/D7357
--HG--
extra : moz-landing-system : lando
When early initialization of the sandbox is enabled, assert that the sandbox has already been enabled in ContentProcess::Init().
Depends on D6720
Differential Revision: https://phabricator.services.mozilla.com/D6721
--HG--
extra : moz-landing-system : lando
Pass sandbox parameters to content processes on the command line allowing for early sandbox startup.
Pref'd off behind "security.sandbox.content.mac.earlyinit" until it's ready to be enabled by default.
Once early startup is enabled by default and considered stable, the original sandbox startup code can be removed.
Depends on D6719
Differential Revision: https://phabricator.services.mozilla.com/D6720
--HG--
extra : moz-landing-system : lando
Simplify the content sandbox policy by removing APP_BINARY_PATH and APP_DIR Mac sandbox parameters and their associated rules in the policy. Keep APP_PATH which is a parent directory of APP_BINARY_PATH and APP_DIR. Change APP_PATH to be the path to the parent process .app directory and make GetAppPath return this path when called from the parent or a child process.
Depends on D6717
Differential Revision: https://phabricator.services.mozilla.com/D6719
--HG--
extra : moz-landing-system : lando
This is a straightforward patch.
Just add a new attribute in nsIProtocolProxyService to indicate whether PAC is still loading. If yes, fail the OCSP request.
Differential Revision: https://phabricator.services.mozilla.com/D9154
--HG--
extra : moz-landing-system : lando
Before this patch, Necko functions polling the state of TLS sockets
(essentially, TransportSecurityInfo) would cause a considerable amount of
locking on TransportSecurityInfo::mMutex instances via GetErrorCode(). Most of
this code only cared if an error had been set via SetCanceled(), so this patch
adds an atomic boolean mCanceled (and associated accessor GetCanceled()) that
can be used to the same effect but without acquiring the lock.
Differential Revision: https://phabricator.services.mozilla.com/D8754
--HG--
extra : moz-landing-system : lando
The compiler warns that jobLevel is uninitialized if none of the if-else
conditions are true. Simply replacing the leading assert with a
"else crash" tells the compiler that case will never actually happen.
Differential Revision: https://phabricator.services.mozilla.com/D8841
--HG--
extra : moz-landing-system : lando
Allow NPAPI sandbox to use restricting SIDs. This hardens the plugin sandbox.
Differential Revision: https://phabricator.services.mozilla.com/D8746
--HG--
extra : moz-landing-system : lando
If nsSecureBrowserUIImpl::OnLocationChange receives a
LOCATION_CHANGE_SAME_DOCUMENT notification, it doesn't need to (and in fact
shouldn't) update its security state or notify downstream listeners.
Differential Revision: https://phabricator.services.mozilla.com/D8900
--HG--
extra : moz-landing-system : lando
The desired outcome of this change is that we'll set
-Wl,--version-script based on linker kind and not on the output of
$LINKER -v.
This is a cheap way to address a simple problem that has a complicated
ideal solution. The underlying issue is that in some situations, when
targeting Android, a macOS system ld is interrogated to determine if
a cross-compiling linker "is GNU ld" and a particular linker feature
is set in that situation. The macOS system ld doesn't pass the "is
GNU ld" test, and the linker feature isn't set; that causes link
failures, even though the actual linker has nothing to do with the
system ld.
The ideal solution is to test for linker capabilities dynamically. We
do a lot of that in old-configure.in, and we don't do any of that in
toolchain.configure. Rather than start testing in
toolchain.configure, we hard-code: a cheap solution to the immediate
problem.
MinGW suffers somewhat from the opposite problem: the linker "is GNU
ld" (compatible), but the linker checks don't happen at all. We hard-code
for MinGW based on the C compiler instead.
Differential Revision: https://phabricator.services.mozilla.com/D8471
--HG--
extra : moz-landing-system : lando
In reimplementing the OCSP fetching code in bug 1456489, we improperly
translated an assertion that relied on the nullness of a pointer to rely on the
length of a data structure that was populated by reference. It turns out that
this made the assertion invalid because we could return a successful result and
have filled the data structure with zero-length data and it still would be valid
to operate on (the decoding code returns a malformed input result in this case).
To fix this, we can simply remove the assertion. This patch also adds a test to
exercise this case.
Differential Revision: https://phabricator.services.mozilla.com/D8883
--HG--
extra : moz-landing-system : lando