<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p><br>
    </p>
    <p>hi, <br>
    </p>
    <p>anybody got an insight into NSS initialisation to tell me if this
      is a good fix?</p>
    <p>it seems plausible to me, but i haven't tested it, and my OS is
      so new it creates the new SQL profiles by default anyway.</p>
    <p>anybody got an old system and some time to test if it actually
      works?</p>
    <p>but i'm thinking we need some insight here before backporting the
      recent bundled NSS upgrade to release branches :)<br>
    </p>
    <div class="moz-forward-container"><br>
      <br>
      -------- Forwarded Message --------
      <table class="moz-email-headers-table" border="0" cellspacing="0"
        cellpadding="0">
        <tbody>
          <tr>
            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">Subject:
            </th>
            <td>[PATCH] xmlsecurity: nsscrypto_initialize: try to avoid
              profile migr...</td>
          </tr>
          <tr>
            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">Date: </th>
            <td>Thu, 9 Aug 2018 12:02:55 +0200</td>
          </tr>
          <tr>
            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">From: </th>
            <td>Michael Stahl (via Code Review)
              <a class="moz-txt-link-rfc2396E" href="mailto:gerrit@gerrit.libreoffice.org"><gerrit@gerrit.libreoffice.org></a></td>
          </tr>
          <tr>
            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">Reply-To:
            </th>
            <td><a class="moz-txt-link-abbreviated" href="mailto:Michael.Stahl@cib.de">Michael.Stahl@cib.de</a></td>
          </tr>
          <tr>
            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">CC: </th>
            <td>Michael Stahl <a class="moz-txt-link-rfc2396E" href="mailto:Michael.Stahl@cib.de"><Michael.Stahl@cib.de></a></td>
          </tr>
        </tbody>
      </table>
      <br>
      <br>
      <pre>Hi,

I would like you to review the following patch:

    <a class="moz-txt-link-freetext" href="https://gerrit.libreoffice.org/58756">https://gerrit.libreoffice.org/58756</a>

To pull it, you can do:

    git pull <a class="moz-txt-link-freetext" href="ssh://gerrit.libreoffice.org:29418/core">ssh://gerrit.libreoffice.org:29418/core</a> refs/changes/56/58756/1

xmlsecurity: nsscrypto_initialize: try to avoid profile migration

<a class="moz-txt-link-freetext" href="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes">https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes</a>

NSS 3.35 and later will automatically migrate migrate profiles from the
old "dbm:" BDB format to the new "sql:" SQLite format.

The new format can be read by NSS 3.12 and later, which is old enough that
it can be assumed to be available.

However LibreOffice still shouldn't migrate the profile on its own:
LO typically uses a Mozilla Firefox or Thunderbird profile, and if it is
a system Firefox with system NSS libraries, then it's probably a bad
idea for LO to migrate the profile under Firefox's nose, particularly
considering the "partial migration" scenario if the profile is
password-protected.

Try to avoid this by checking if the profile is the old format and
explicitly using the "dbm:" prefix to prevent the migration.

Change-Id: I06480522f830ce74e2fb7bf79fee84ad80979b82
---
M xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
1 file changed, 14 insertions(+), 0 deletions(-)



diff --git a/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx b/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
index dd035c6..b1f16df 100644
--- a/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
+++ b/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
@@ -244,6 +244,20 @@
     // there might be no profile
     if ( !sCertDir.isEmpty() )
     {
+        if (sCertDir.indexOf(':') == -1) //might be env var with explicit prefix
+        {
+            OUString sCertDirURL;
+            osl::FileBase::getFileURLFromSystemPath(
+                OStringToOUString(sCertDir, osl_getThreadTextEncoding()),
+                sCertDirURL);
+            osl::DirectoryItem item;
+            if (osl::FileBase::E_NOENT == osl::DirectoryItem::get(sCertDirURL + "/cert8.db", item) &&
+                osl::FileBase::E_NOENT != osl::DirectoryItem::get(sCertDirURL + "/cert9.db", item))
+            {
+                SAL_INFO("xmlsecurity.xmlsec", "nsscrypto_initialize: trying to avoid profile migration");
+                sCertDir = "dbm:" + sCertDir;
+            }
+        }
         if( NSS_InitReadWrite( sCertDir.getStr() ) != SECSuccess )
         {
             SAL_INFO("xmlsecurity.xmlsec", "Initializing NSS with profile failed.");

-- 
To view, visit <a class="moz-txt-link-freetext" href="https://gerrit.libreoffice.org/58756">https://gerrit.libreoffice.org/58756</a>
To unsubscribe, visit <a class="moz-txt-link-freetext" href="https://gerrit.libreoffice.org/settings">https://gerrit.libreoffice.org/settings</a>

Gerrit-MessageType: newchange
Gerrit-Change-Id: I06480522f830ce74e2fb7bf79fee84ad80979b82
Gerrit-PatchSet: 1
Gerrit-Project: core
Gerrit-Branch: master
Gerrit-Owner: Michael Stahl <a class="moz-txt-link-rfc2396E" href="mailto:Michael.Stahl@cib.de"><Michael.Stahl@cib.de></a>
</pre>
    </div>
  </body>
</html>