# Bleichenbacher's Ghost

## Hey man, computer security is hard.

Update 1: It broke in production…see this vlog for a review of how it broke and how we fixed it.

Update 2: This change was discussed on the r/Firefox.

Update 3: This change broke in production again and this time it was *disabled by default for all Firefox users. See Bug 1636855 for details. You can still enable this behavior by setting editor.truncate_user_pastes in about:config to true. Buy me a 🍺 sometime if you want to hear more about this.

Bug 1320229 - allow user pastes longer than input maxlength r=masayuki
author  sanketh <[email protected]>
Mon, 27 Apr 2020 01:29:43 +0000 (3 days ago)
changeset 526144    31503d35be56c1c7ba295b7bf3df2981384a75a8
parent 526143   fa436826f669b38d8cba67ae7245f4e0f68d18f5
child 526145    7136265fbb0f64505bb9036a8d51f40499b65674


I found this bug via this twitter thread where it was mentioned that people were using the maxlength attribute for password inputs and this caused them to be truncated silently (which sucks if you are using a password manager and chose a password longer than the maxlength.) I also encountered this bug in the past but was too lazy to fix it then, so when I saw the BugZilla link and the responses to the tweet, I was like, maybe someone should fix it and posted about it in #security. After a bunch of back and forth, I was asked if I would be willing to write a patch, and I chose to do it.1 The patch allows longer pastes by the user and the maxlength validation is taken care of by the form validator (which takes care of minlength, for example.)

It was a pretty fun experience and people were really nice and accommodating. I had never worked on a browser before so it was fun learning how the sausage is made. I also never worked on such a huge codebase, compiling Firefox from source takes over an hour on my dinky laptop. Thankfully, I got used to doing development on DigitalOcean droplets (for CTFs) so getting the compile time down to a more manageable 20-40 minutes was as simple as upgrading the droplet. Once I cloned the repo and was able to build it, the next step was to write code. But my hg status took forever. After some digging, I learnt about hg watchman which made it instantaneous. Oh, yeah, I also learned how to use hg, it is not that hard if you are familiar with git and the DAG model. Quick shout-out to the blog posts of tangent spaces and Botond Ballo for helping me setup VSCode/clangd. Once I gain more experience working on mozilla-central, I will write a post with some tips and tricks.

What are you waiting for? You can checkout this and other recently landed stuff in Firefox Nightly.

I wanna thank people on #security for engaging me and helping find a solution, and people on #introduction for aiding me get setup. Special thanks to MattN and Masayuki for tolerating my stupid questions and helping me write an acceptable patch.

Support Mozilla with code or money!!

1. My binging of many episodes of Mike Conley’s stream played a non-trivial role in pushing me over the edge. ↩︎