From aecd341dfead1c3ef7a3c15468ecd71e8343b7c6 Mon Sep 17 00:00:00 2001 From: Kacper Koniuszy <120419423+kkoniuszy@users.noreply.github.com> Date: Sat, 27 Jul 2024 10:55:09 +0200 Subject: [PATCH] firefox: improve search engine disclaimer generation Using a fixed application name in the salt for the search engine name hash can break with minor branding changes. For example, LibreWolf 127 used the application name "LibreWolf", but in version 128 it is "Firefox". The proper name can be found in about:support -> Application Basics. Because it doesn't have to be related to the product name visible in most of the browser (for example in the window title and help menus), we shouldn't rely on cfg.name for that. The application name can be read from lib/*/application.ini and we can use that if the browser was installed via Home Manager. If not, we can fall back to cfg.name. --- modules/programs/firefox/mkFirefoxModule.nix | 1 + modules/programs/firefox/profiles/search.nix | 24 +++++++++++++++++--- modules/programs/thunderbird.nix | 1 + 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/modules/programs/firefox/mkFirefoxModule.nix b/modules/programs/firefox/mkFirefoxModule.nix index 8ef3f12d3..da7c96722 100644 --- a/modules/programs/firefox/mkFirefoxModule.nix +++ b/modules/programs/firefox/mkFirefoxModule.nix @@ -553,6 +553,7 @@ in { inherit (args) config; inherit lib pkgs; appName = cfg.name; + package = cfg.finalPackage; modulePath = modulePath ++ [ "profiles" name "search" ]; profilePath = config.path; }); diff --git a/modules/programs/firefox/profiles/search.nix b/modules/programs/firefox/profiles/search.nix index 69b771aa4..99a226744 100644 --- a/modules/programs/firefox/profiles/search.nix +++ b/modules/programs/firefox/profiles/search.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, appName, modulePath, profilePath }: +{ config, lib, pkgs, appName, package, modulePath, profilePath }: with lib; @@ -108,10 +108,10 @@ let # a claim by Mozilla to remove this would be very anti-user, and # is unlikely to be an issue for our use case. disclaimer = "By modifying this file, I agree that I am doing so " - + "only within ${appName} itself, using official, user-driven search " + + "only within @appName@ itself, using official, user-driven search " + "engine selection processes, and in a way which does not circumvent " + "user consent. I acknowledge that any attempt to change this file " - + "from outside of ${appName} is a malicious act, and will be responded " + + "from outside of @appName@ is a malicious act, and will be responded " + "to accordingly."; salt = if config.default != null then @@ -124,11 +124,29 @@ let else null; + appNameVariable = if package == null then + "appName=${lib.escapeShellArg appName}" + else '' + applicationIni="$(find ${lib.escapeShellArg package} -maxdepth 3 -path ${ + lib.escapeShellArg package + }'/lib/*/application.ini' -print -quit)" + if test -n "$applicationIni"; then + appName="$(sed -n 's/^Name=\(.*\)$/\1/p' "$applicationIni" | head -n1)" + else + appName=${lib.escapeShellArg appName} + fi + ''; + file = pkgs.runCommand "search.json.mozlz4" { nativeBuildInputs = with pkgs; [ mozlz4a openssl ]; json = builtins.toJSON settings; inherit salt privateSalt; } '' + ${appNameVariable} + + salt=''${salt//@appName@/"$appName"} + privateSalt=''${privateSalt//@appName@/"$appName"} + if [[ -n $salt ]]; then export hash=$(echo -n "$salt" | openssl dgst -sha256 -binary | base64) export privateHash=$(echo -n "$privateSalt" | openssl dgst -sha256 -binary | base64) diff --git a/modules/programs/thunderbird.nix b/modules/programs/thunderbird.nix index ad7a1360f..b3713f655 100644 --- a/modules/programs/thunderbird.nix +++ b/modules/programs/thunderbird.nix @@ -232,6 +232,7 @@ in { inherit (args) config; inherit lib pkgs; appName = "Thunderbird"; + package = cfg.package; modulePath = [ "programs" "thunderbird" "profiles" name "search" ]; profilePath = name;