Closed Bug 1031445 Opened 11 years ago Closed 11 years ago

disallowed direct link to xpi in developer coments

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: curtisk, Assigned: jorgev)

Details

To: security@mozilla.org Subject: Question re iffy link on addons.mozilla.org From: bennoro@cs.com Received: Fri, 27 Jun 2014 12:41:45 -0400 -----//----- Can you please check this addons page? Not sure that it breaks the rules, but possibly malicious so pointing it out to you... https://addons.mozilla.org/en-US/firefox/addon/go-parent-folder In the "About" box, the last line: "For Firefox30+, please refer to 'Developer Comments'" At the bottom of the webpage is the Developer Comments section, and when expanded there is only a link to a geocities.jp page and a reassuring note: "Working in progress..." The link does not open a webpage, but rather asks you to download something. Maybe it's just creepy, maybe it's just me, but there's not enough info here. As long as you say this is ok, then fine. Thanks!
Alice is an outstanding member of our community so I'm sure we can work something out, but having a raw .xpi link from AMO isn't great and an insecure http: one is worse. Maybe a developer's home page link would be OK? I think I've seen that on other listings Firefox 30 is the current shipping release version so if the AMO version doesn't work for it the solution might be to get whatever is at that geocities link through the review process.
I've removed the link.
Thanks Alice, we knew this was malicious or a dangerous xpi but the experience is sub-optimal. The best would be to have some sort of landing page that explains what is going on or what is happening with the development version, then a link to the xpi that the user can choose to install. If this is a ready to go xpi I think we can get it reviewed pretty quickly.
We should provide a automation mechanism to check such a link on AMO. Direct link of XPI file and Executable file at least. Redirection link may be difficult. I think.
We remove any direct link to XPI files when reported, and our redirect page tells users to do that. Historically we've only run into a handful of these situations, and none of them have so far been malicious. I don't think it would be a good use of our time to have active monitoring of all external links, but please file a separate bug if you think we should pursue this.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.