The `run_exstr` command is a legacy from when hinting involved a strange
dance through the background script. It is no longer required, so we can
call the `yank` function directly and preserve the newlines.
The Firefox Security team believe fixamo violates the AMO policy as it reduces
the security of Firefox.
I respectfully disagree, but I don't think it is a hill worth dying on.
When I started using tridactyl, I didn't find any shortcut to the ignore mode that was viable for laptop keyboards (at least on mine, since I haven't got backticks and `Ins` must be activated with `Fn`). `Shift-Esc` is relatively harmless and pretty easy to remember, so I think it may be a good one for beginners.
the parsers for all modes except the command line (which has
always been protected inside an iframe).
If the native messenger was not installed, the bug could not be
exploited for any more than nuisance attacks (closing tabs,
quitting Firefox, etc.). If the native messenger was installed,
an attack using the mpv hint mode (bound to `;v` by default) and
a specially crafted link would allow an attacker to execute some
commands in the user's shell. Due to the way hyperlinks are
encoded, it would require more cunning than the Tridactyl
developers possess to usefully exploit as it is difficult to pass
arguments to commands.
This did mean that the standard output of mpv (including the
attacker's URL) was also available to an attacker via pipes. We
are not aware of any way to abuse that with commonly installed
utilities.
We are unaware of any pages exploiting this in the wild.
Nevertheless, this security regression should not have happened.
A short incident report follows:
These checks were accidentally removed when key handling was
rewritten in September 2018. The PR was reviewed, but it was a
large PR and the regression was missed by the reviewers.
We became aware of the regression after a question in our support
chat prompted @glacambre to check on exactly how we were using
`isTrusted` and they realised that we weren't using it any more.
We will shortly introduce automated testing to check these
security properties that we rely on.
We will consider adding a check to continuous integration that
flags any change to files containing security relevant code for
more detailed review.
Affected versions: - Tridactyl 1.14.0 - 1.14.10, 1.15.0.
Mitigation:
- Update to Tridactyl 1.16.0+ or 1.14.13+
- If updating is unfeasible, we recommend removing the native
messenger by running `:! pwd` in Tridactyl and then deleting that
directory from your filesystem.
- If you've thought of a clever exploit, please contact
bovine3dom or cmcaine privately on Matrix or by email.
Firefox discourages having more than one bookmark to the same URL, but
it can happen anyway due to sync bugs or something (I have duplicate
bookmarks, anyway).
This patch deduplicates bookmarks.
Previously they went on a magical mystery tour with up to
four stops on the way.
Now they take one synchronous step and are done, hopefully
avoiding race conditions.
