Security Hole in Greasemonkey

Greasemonkey, in case you haven’t heard of it, is a handy extension for Firefox that allows you to change web pages on-the-fly. For instance, suppose you want continuous updating in Bloglines (so that the left pane with your feeds is always up-to-date? Not a problem. Or maybe you want tag auto-completion in del.icio.us? Can do.

Overall, Greasemonkey is pretty sweet. Unfortunately, a security hole has come to light over the past couple days. Mark Pilgrim, known for his sites Dive Into Mark and Dive Into Greasemonkey, explained it this way:

“This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully ‘GET’ any world-readable file on your local computer.

[this test page] returns the contents of c:\boot.ini, which exists on most modern Windows systems.

[…]

“In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. […] ”

In a later message to the Greasemonkey mailing list, he sounded the alarm:

“Uninstall Greasemonkey altogether. At this point, I don’t trust having it on my computer at all. […]

“[…] And I’m posting a big red blinking warning on every page of diveintogreasemonkey.org advising visitors to uninstall it, until all of these security holes are closed. This is why God invented the <blink> tag.”

I liked his reference to the <blink> tag there; and, yes, security holes and impending nuclear meltdowns are about its only appropriate uses (HHOS). That aside, I have uninstalled Greasemonkey for now. However, I look forward to re-enabling it once the developers work past this.

(Via: Anil, via Leia/IM)

Prevent Lost WordPress Posts

You may recall an entry from a couple weeks ago about pretty URLs in WordPress. As it turns out, I ended up writing that entry twice. It wasn’t that I didn’t like the first version, but I just accidentally closed that tab in Firefox at the time (oops). I meant to click on the right-most tab in my browser but I instead clicked on the “close tab” button right there instead. Poof!

I was a little bit annoyed but there wasn’t much I could do about it. I wrote the entry a second time and I later looked around to see if there were any utilities which might help prevent that kind of thing in the future. One that I thought to look for was some kind of “undo close tab” extension. Well, ask and ye shall receive — a guy named Dorando created an extension called Undo Close Tab (how apropos). And, if you'd normally be wary of downloading an extension from a forum post, rest assured that he has a home page for his extensions as well, though the bulk of the information on Undo Close Tab is in his forum post.

I then took aim at the second thorn in my side, that dumb close-tab button which foiled my plans earlier. After all, even though an undo-close-tab extension would have saved me from the predicament last time, I wouldn’t have even been in that scrape if it wasn’t so easy to hit that button ;). Fortunately, that’s easily done as well. This MozillaZine Knowledgebase article writes about moving the tabbar (to the bottom of the browser or elsewhere on your screen) but it also includes the steps on removing the close-tab button (regardless of whether you want to move the tab bar as well). In short, you can remove your close-tab button but shutting down your Firefox and adding these lines to userchrome.css:

/* remove the close-tab button */
.tabbrowser-tabs > stack {
display: none;
}

Your userchrome.css file goes in your Firefox profile directory but the file doesn’t exist by default. Rather, there’s an example file called “userChrome-example.css” which you can Save-As to userchrome.css and make use of that. And, that previous link on the profile directory offers some tips on where your profile directory is located; that information is fine, though you may find it just as easy to just search your drive — starting from C:\Documents and Settings\ — for “userChrome-example.css”.

I felt better after getting those Firefox bits in order, and I then came across a WordPress plugin which also looked helpful. Gregory Wild-Smith wrote a plugin called Twilight AutoSave which “uses cookies and JavaScript to save the data you are typing and allow you to restore it (or delete it) later”. With that and the Firefox goodies in place, I should have a lesser chance of losing my posts next time. Not that I’m going to tempt fate, but I do have some peace of mind about it now.