Bug#555955: xulrunner-1.9.1: cookies.sqlite not cleared using sqlite secure delete when private data cleared
Josh Triplett
josh at joshtriplett.org
Thu Nov 12 23:13:19 UTC 2009
On Thu, Nov 12, 2009 at 11:59:39PM +0100, Mike Hommey wrote:
> On Thu, Nov 12, 2009 at 02:49:44PM -0800, Josh Triplett wrote:
> > On Thu, Nov 12, 2009 at 11:47:01PM +0100, Mike Hommey wrote:
> > > On Thu, Nov 12, 2009 at 02:42:12PM -0800, Josh Triplett wrote:
> > > > > Yes, but there is a remove all cookies in the cookies list. If you do
> > > > > that in a new profile with new cookies, are they properly "securely"
> > > > > deleted ?
> > > >
> > > > I just tested that, and no, that doesn't work either. Starting from no
> > > > data in cookies.sqlite, I visited google.com, closed Iceweasel,
> > > > confirmed that a couple of cookies appear in cookies.sqlite, opened
> > > > Iceweasel, used "Remove all cookies", closed Iceweasel, and confirmed
> > > > that the cookies still appear in cookies.sqlite even though moz_cookies
> > > > has no rows.
> > >
> > > That's really weird, because there is nothing I can see at first hand in
> > > the mozilla code that differs between the various .sqlite files. So it
> > > looks like this could be a sqlite bug. Have you tried to remove the
> > > lines with sqlite3 itself ?
> >
> > Yes, "sqlite3 cookies.sqlite vacuum" does wipe the data.
>
> Except that vacuum is not the one, you should try a delete statement.
> (vacuum is not used in mozilla, except in expiry of form history, when
> it is big)
Oh, I see.
No, "delete from moz_cookies" in sqlite3 doesn't securely wipe the data
either, though a subsequent "vacuum" does.
- Josh Triplett
More information about the pkg-mozilla-maintainers
mailing list