Closed Bug 450764 Opened 16 years ago Closed 15 years ago

Block xpi file links in comments

Categories

(addons.mozilla.org Graveyard :: Public Pages, enhancement)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED INVALID

People

(Reporter: aryx, Unassigned)

Details

Please block xpi file links in comments, especially if the add-on is incompatible with the current version, some (most?) users trend to install it without thinking about the vulnerabilites which could be in it.

Often, these are simply version bumped files or with a few lines modified. A warning box above the comment (if it contains an xpi link) is also a possible solution.
I am not sure if this would be effective? What if people point to an xpi through tinyurl?
This has been discussed before and was the main reason we stalled on allowing developers to use HTML or autolink URLs 2 years ago. The only solution we came up with was pointing all external URLs through a redirector I think.
Yeha, the file could also be rewritten, so not sure how much a redirector would help unless it downloaded the link first or checked its mimetype before redirecting the user?

The easiest thing to do would probably be to move public pages onto a new domain and whitelist that domain in the install API or something similar.  Like addons.mozilla.com or something?
You can't add links to comments, ->invalid
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
Well, either the people have extensions like Linkification installed or will open the url manually.
(In reply to comment #5)
> Well, either the people have extensions like Linkification installed or will
> open the url manually.

It's true, people might do that, but the chances are pretty slim.
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.