Bug#555955: xulrunner-1.9.1: cookies.sqlite not cleared using sqlite secure delete when private data cleared
Josh Triplett
josh at joshtriplett.org
Thu Nov 12 22:42:12 UTC 2009
On Thu, Nov 12, 2009 at 11:34:45PM +0100, Mike Hommey wrote:
> On Thu, Nov 12, 2009 at 01:27:14PM -0800, Josh Triplett wrote:
> > On Thu, Nov 12, 2009 at 10:07:27PM +0100, Mike Hommey wrote:
> > > On Thu, Nov 12, 2009 at 12:46:28PM -0800, Josh Triplett wrote:
> > > > Package: xulrunner-1.9.1
> > > > Version: 1.9.1.4-1
> > > > Severity: important
> > > >
> > > > xulrunner now builds against sqlite with the secure deletion facility
> > > > available, and seems to securely delete data from places.sqlite when
> > > > using "Clear Recent History". However, it does not securely delete data
> > > > from cookies.sqlite.
> > > >
> > > > Steps to reproduce:
> > > >
> > > > 1) Either start from a new profile, or do a "Clear Recent History" with
> > > > time range "Everything" and at least the "Cookies" box checked
> > > > followed by running "sqlite3 cookies.sqlite vacuum"
> > > >
> > > > 2) Run "strings cookies.sqlite | grep -i google", and observe that no
> > > > results appear.
> > > >
> > > > 3) Open Iceweasel, and visit google.com. Close Iceweasel.
> > > >
> > > > 4) Run "strings cookies.sqlite | grep -i google", and observe that some
> > > > results appear, as expected.
> > > >
> > > > 5) Open Iceweasel. Do a "Clear Recent History" with time range
> > > > "Everything" and at least the "Cookies" box checked. Close
> > > > Iceweasel.
> > > >
> > > > 6) Run "strings cookies.sqlite | grep -i google", and observe that the
> > > > results from step 4 still appear, despite having cleared cookies.
> > >
> > > Did you try removing the cookies from the cookies interface ?
> >
> > After step 5 (clearing recent history), the cookies don't show up in the
> > cookies interface. And checking with the sqlite3 command-line utility
> > confirms that the moz_cookies table has no rows.
>
> Yes, but there is a remove all cookies in the cookies list. If you do
> that in a new profile with new cookies, are they properly "securely"
> deleted ?
I just tested that, and no, that doesn't work either. Starting from no
data in cookies.sqlite, I visited google.com, closed Iceweasel,
confirmed that a couple of cookies appear in cookies.sqlite, opened
Iceweasel, used "Remove all cookies", closed Iceweasel, and confirmed
that the cookies still appear in cookies.sqlite even though moz_cookies
has no rows.
- Josh Triplett
More information about the pkg-mozilla-maintainers
mailing list