Closed Bug 281902 Opened 20 years ago Closed 19 years ago

Addons should not be allowed to have an external updateUrl

Categories

(addons.mozilla.org Graveyard :: Administration, defect, P1)

Product:
addons.mozilla.org Graveyard
Component:
Administration
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jean-michel.philippe, Assigned: morgamic)

References

Details

Attachments

(1 file, 1 obsolete file)

check for updateURL -- didn't know there was already a patch here
1.27 KB, patch
morgamic
: first-review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0

When Firefox searches for extension updates, he may download software from sites
not listed in the whitelist without warning. We do not no how safe these sites
are. One can thus imagine a malicious hacker that makes an intrusion on such a
site to replace the extension or even just the software update download site
that the extension provides. All further updates would then download malicious
software if not aldready done.

NB: indeed I found myself upgrading Tab Browser Preferences from the supposed
author site and then had my Firefox work very bad. I had to uninstall and
re-install from the official Mozilla site so now I take care of upgrading from
the official extension site only.

NB2: I didn't find any bug report about this topic, so I hope this no duplicate!

Reproducible: Always

Steps to Reproduce:
1. install extensions from the Mozilla site (e.g. Tab Browser Preferences) and
restart
2. make Firefox search for extension updates
3. agree to update
Actual Results:  
software updates are installed without warning about the fact that the download
site does not belong to the list of trusted extension sites

Expected Results:  
Firefox should warn and discourage to use such sites
We are updating the update.mozilla.org hosting policy and one of the
requirements will be that extensions we host must only update from our site.
Authors will of course be free to host versions elsewhere that update from where
they like (for example, development versions might update from the developers
own site).

This may be a dupe but I couldn't find it. Possibly it only exists on the
in-progress policy document in which case this bug is a useful reminder.
Assignee: bugs → Bugzilla-alanjstrBugs
Status: UNCONFIRMED → NEW
Component: Software Update → Administration
Ever confirmed: true
Product: Firefox → Update
QA Contact: bugs → mozilla.update
Summary: Extension updates are searched on sites outside from the whitelist → Require UMO-hosted extensions must update only from UMO
Still waiting on the policy doc.  Setting it to block this bug.  The code will
go somewhere around
http://lxr.mozilla.org/update1.0/source/developers/additem.php#88
Depends on: 245198
Target Milestone: --- → 1.1
Target Milestone: 1.1 → 2.0
The extension update url should not be overwritten until UMO can get it's review
turnaround down.  It's 1 week+ at the moment and getting worse.  It it's not
closer to 24 hours, overwriting the update url will be a hindrance to extension
authors who want to get security fixes out quickly.
While this makes sense from a security standpoint, this will be a pain in the
ass for extension authors.

I for one don't use UMO's update functionallity for a few different reasons
1) Review turn around as mentioned in comment #3
2) States, I like to know how many users are indeed upgrading, as this reflects
what kind of backwards compatibility my extensions should offer, and who I'm
tailoring to.
3) UMO instability, if UMO ever goes down or defunct (has happened in the past),
all my end users will be stuck.
(In reply to comment #4)
> While this makes sense from a security standpoint, this will be a pain in the
> ass for extension authors.

I reckon security is more important here. 
1) Turnaround has improved greatly.
2) UMO could provide statistics to developers on this.
3) As mozilla and umo grow I doubt this will be acceptable in future.

        Attachment #194506 -
        Flags: first-review?(cst)

    
  
Summary: Require UMO-hosted extensions must update only from UMO → [Submission] Require UMO-hosted extensions must update only from UMO

    
    

    
  
(In reply to comment #4)
> While this makes sense from a security standpoint, this will be a pain in the
> ass for extension authors.

To me security issues are much much more important than extension developer
comfort! Developers should all be aware of all kind of security issues and
understand why they cannot do whatever they want or would like to. If they
really want to keep working for the community they *must* adopt a safe and
professional behaviour.
Perhaps some tools are missing but I must say I really don't like the idea that
UMO downloaded extensions could update from anywhere else even in case of
critical bugs. Who could have had enough time to check the patched code? I would
rather prefer a kind of alert message that encourages users to disable
extensions or force disabling them while the code gets patched. There are a lot
of people waiting for Mozilla and its community to make mistakes, please don't
give them opportunities... It's so good job!

    
    

    
  
This has been drafted here http://wiki.mozilla.org/Update:Requirements/LegalAndReview

Currently some reviewers are denying addons with external updateurls, but it should be coded into the site so it automatically checks install.rdf when a developer uploads the addon

Upping severity as this is a major security issue and I agree with Jean-Michel
(comment #7)
> (...) There are a lot
> of people waiting for Mozilla and its community to make mistakes, please don't
> give them opportunities... 


Severity: normal → major

    
    

    
  
morgamic -

Now that we're enforcing this rule, we really need to automate it.  
Assignee: Bugzilla-alanjstrBugs → morgamic
Target Milestone: 2.0 → 1.1

    
    

    
  
Picking this back up.
Status: NEW → ASSIGNED

    
  
Severity: major → critical
Priority: -- → P1

    
    

    
  


  

        Attachment #194506 -
        Attachment is obsolete: true

        Attachment #194506 -
        Flags: first-review?(cst)

    
    

    
  
Comment on attachment 208163 [details] [diff] [review]
check for updateURL -- didn't know there was already a patch here

I'll be adventerous and commit this.  It's simple enough.

        Attachment #208163 -
        Flags: first-review+

    
  
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
Just changing the summary because I'm really tired of searching for the old one.
Summary: [Submission] Require UMO-hosted extensions must update only from UMO → Addons can no longer have an external updateUrl

    
  
Summary: Addons can no longer have an external updateUrl → Addons should not be allowed to have an external updateUrl
Product: addons.mozilla.org → addons.mozilla.org Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: