summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoranonym <anonym@riseup.net>2018-03-05 13:12:05 +0100
committeranonym <anonym@riseup.net>2018-11-22 13:36:25 +0100
commit0996812058b100047d6b639d31bef3f18a8274ab (patch)
treecee54898d6adea85385884bacd65c058f0520e3c
parente7bd2ceeba812037e8b429af9cfa8068969582b0 (diff)
Add pref for whether we accept plaintext protocols during autoconfiguration.secure_account_creation-60.3.0
Let's make it possible for security-focused distributions (and extensions like TorBirdy) to prevent insecure configurations to ever be displayed to users; for other users there is a warning explaining the consequences of accepting a non-SSL configuration.
-rw-r--r--comm/mail/components/accountcreation/content/guessConfig.js3
-rw-r--r--comm/mail/components/accountcreation/content/readFromXML.js10
-rw-r--r--comm/mailnews/mailnews.js10
3 files changed, 22 insertions, 1 deletions
diff --git a/comm/mail/components/accountcreation/content/guessConfig.js b/comm/mail/components/accountcreation/content/guessConfig.js
index a1322d7..a62b29c 100644
--- a/comm/mail/components/accountcreation/content/guessConfig.js
+++ b/comm/mail/components/accountcreation/content/guessConfig.js
@@ -407,6 +407,7 @@ HostDetector.prototype =
{ "imap" : IMAP, "pop3" : POP, "smtp" : SMTP }, UNKNOWN);
if (!port)
port = UNKNOWN;
+ var ssl_only = Services.prefs.getBoolPref("mailnews.auto_config.ssl_only_mail_servers");
var ssl = ConvertSocketTypeToSSL(socketType);
this._cancel = false;
this._log.info("doing auto detect for protocol " + protocol +
@@ -430,6 +431,8 @@ HostDetector.prototype =
for (let j = 0; j < hostEntries.length; j++)
{
let hostTry = hostEntries[j]; // from getHostEntry()
+ if (ssl_only && hostTry.ssl == NONE)
+ continue;
hostTry.hostname = hostname;
hostTry.status = kNotTried;
hostTry.desc = hostTry.hostname + ":" + hostTry.port +
diff --git a/comm/mail/components/accountcreation/content/readFromXML.js b/comm/mail/components/accountcreation/content/readFromXML.js
index b3d804c..d323d03 100644
--- a/comm/mail/components/accountcreation/content/readFromXML.js
+++ b/comm/mail/components/accountcreation/content/readFromXML.js
@@ -27,6 +27,8 @@ function readFromXML(clientConfigXML)
}
var allow_oauth2 =
Services.prefs.getBoolPref("mailnews.auto_config.account_constraints.allow_oauth2");
+ var ssl_only =
+ Services.prefs.getBoolPref("mailnews.auto_config.ssl_only_mail_servers");
var exception;
if (typeof(clientConfigXML) != "object" ||
!("clientConfig" in clientConfigXML) ||
@@ -90,6 +92,10 @@ function readFromXML(clientConfigXML)
throw exception ? exception : "need proper <socketType> in XML";
exception = null;
+ if (ssl_only && iO.socketType == 1) {
+ continue;
+ }
+
for (let iXauth of array_or_undef(iX.$authentication))
{
try {
@@ -175,6 +181,10 @@ function readFromXML(clientConfigXML)
throw exception ? exception : "need proper <socketType> in XML";
exception = null;
+ if (ssl_only && oO.socketType == 1) {
+ continue;
+ }
+
for (let oXauth of array_or_undef(oX.$authentication))
{
try {
diff --git a/comm/mailnews/mailnews.js b/comm/mailnews/mailnews.js
index cb12b7c..d5bdafd 100644
--- a/comm/mailnews/mailnews.js
+++ b/comm/mailnews/mailnews.js
@@ -900,8 +900,16 @@ pref("mailnews.auto_config.ssl_only_config_servers", false);
pref("mailnews.auto_config.guess.enabled", true);
// The timeout (in seconds) for each guess
pref("mailnews.auto_config.guess.timeout", 10);
-// Whether we allow fetched configurations using OAuth2.
+// The prefs under the mailnews.auto_config.account_constraints
+// namespace affect the resulting account configurations of *all*
+// autoconfiguration methods:
+// * Whether we allow accounts using OAuth2.
pref("mailnews.auto_config.account_constraints.allow_oauth2", true);
+// * Whether we allow accounts that employs non-SSL/TLS protocols.
+// With this option set, insecure configurations are never presented
+// to the user; with this option unset, users picking an insecure
+// configuration will get a warning and have to opt-in.
+pref("mailnews.auto_config.ssl_only_mail_servers", false);
// -- Summary Database options
// dontPreserveOnCopy: a space separated list of properties that are not