Closed
Bug 625842
Opened 13 years ago
Closed 13 years ago
Fix potential URL conflicts with Addon pages in the devhub (slugs)
Categories
(addons.mozilla.org Graveyard :: Developer Pages, defect, P3)
addons.mozilla.org Graveyard
Developer Pages
Tracking
(Not tracked)
VERIFIED
FIXED
5.12.9
People
(Reporter: kumar, Assigned: andy+bugzilla)
Details
(Whiteboard: [See comment 6])
Attachments
(2 files)
post-fix screenshot
Currently these dev URLs exist or about to exist: /developers/addon/submit/1 /developers/addon/submit/2 ... /developers/addon/validate But add-on slugs are also supported, such as: /developers/addon/firebug-0.5/edit This will conflict with add-ons having slugs such as submit or validate. We could either blacklist slug names, which would be error prone and cumbersome to maintain, or we could change the URLs for submission, validation, etc.
|
||
Comment 1•13 years ago
|
||
Hiding to avoid any opportunistic slugging. Do add-on slugs check against the username blacklist? If so, we can add the needed slugs to that blacklist. Any slugs unsuitable for one can also be unsuitable for another.
Group: client-services-security
|
||
Comment 2•13 years ago
|
||
I put the /addon/:slug matching at the bottom of urls.py for this reason. Anyone trying these shenanigans won't be able to access their add-on.
|
|
||
Comment 3•13 years ago
|
||
So it won't break our tools but it will break their add-on, so we should disallow changing to reserved slugs.
Group: client-services-security
Target Milestone: --- → Q1 2011
|
||
Comment 4•13 years ago
|
||
(In reply to comment #3) > So it won't break our tools but it will break their add-on, so we should > disallow changing to reserved slugs. I thought there was already a bug for this, but maybe I'm confusing that with the one to support reserved tags.
|
Reporter | |
Comment 5•13 years ago
|
||
(In reply to comment #2) > I put the /addon/:slug matching at the bottom of urls.py for this reason. > Anyone trying these shenanigans won't be able to access their add-on. for non-malicious users who end up with an Add-on slug 'submit' (is that possible?) then wouldn't their time on devhub be sad and confusing? Seems to me like an easier fix would be to provide different URLs as long as breaking historic remora URLs isn't a problem.
|
|
||
Comment 6•13 years ago
|
||
This bug is about: - adding an `addons_blacklistedslug` table - disallowing slugs to be saved if their slug exists in that table - disallowing numeric slugs (to prevent weirdness with our add-on id redirects) - we don't need a CRUD front end on the table for now, we can run queries on the db manually
Assignee: nobody → amckay
Priority: -- → P3
Whiteboard: [See comment 6]
Target Milestone: Q1 2011 → 5.12.9
|
|
||
Comment 7•13 years ago
|
||
(In reply to comment #6) > This bug is about: > > - adding an `addons_blacklistedslug` table Is there any reason to keep this separate from the username blacklist? They serve mostly the same purpose. > - disallowing numeric slugs (to prevent weirdness with our add-on id redirects) That's already enforced in Addon.clean_slug.
|
|
||
Comment 8•13 years ago
|
||
> > - adding an `addons_blacklistedslug` table
>
> Is there any reason to keep this separate from the username blacklist? They
> serve mostly the same purpose.
Less confusion a year from now
|
Assignee | |
Comment 9•13 years ago
|
||
https://github.com/jbalogh/zamboni/commit/8f4ff1b41c6adc2eeb8b941928de8eabef507a1d
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Comment 10•13 years ago
|
||
verified that * 'submit' and 'validate' are not allowed slugs anymore. * numeric slugs are not allowed For some crazy reason, we do not allow hypen-only slugs.
Status: RESOLVED → VERIFIED
|
|
||
Comment 11•13 years ago
|
||
|
|
||
Comment 12•13 years ago
|
||
|
||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•