devinbinnie
commented
2 months ago
- Does this have any effect on what types of files can be linked to from the web app or a web app plugin? I'm thinking of if someone had a custom plugin that opened a file on a network drive or something, but I don't think we supported that anyway.
None of these should affect any of the remote code (ie. webapp code), this is only concerned with loading files internal to the Desktop App. Nothing loaded into the Mattermost web app itself should be affected.
- Similarly, does this mean that the web app could open
mattermost-desktoplinks? I'm not sure if these changes affect the web app or just the outer Electron processes
This would technically allow any renderer process to use this protocol, however the navigation is blocked via other means, so it will try to open mattermost-desktop: links externally, which of course won't work. This protocol is only registered internally to the Desktop App
Summary
This PR is a companion to https://github.com/mattermost/desktop/pull/3094 where most of the security fuses were flipped. However this change flips only one,
GrantFileProtocolExtraPrivilegestofalseand includes a number of changes to support that fuse being flipped:file:protocol in the app, replacing it with a custom protocol calledmattermost-desktopas per the recommendation by Electron. This protocol has a handler that allows only files from therendererfolder to be served up and prevents any path traversal using said protocol.getLocalURLStringsince it's no longer required anywhereStippleMask.jpg)nativeImagelibrary that creates a base64 based thumbnail and sends that along with the other download data.This change is being separated due to how much has changed to support this, so it should likely be given more time to bake than the other fuses flips.
Ticket Link
https://mattermost.atlassian.net/browse/MM-59543