Closed
Bug 1093308
Opened 10 years ago
Closed 10 years ago
You can download the code for the package apps
Categories
(Marketplace Graveyard :: API, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: moreno.rdr, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141027150301
Steps to reproduce:
1. Find the app you want to download
2. From your URL extracts the last part, the identifier of the app
3. Copy your ID and replace it in is URL: https://marketplace.firefox.com/api/v1/apps/app/{APP-ID}
4. The JSON that returns API seek the term "zip" and here is the URL to the zip file containing the entire app.
EXAMPLE:
1. I found this app (It's mine): https://marketplace.firefox.com/app/paseapp
2. I copy the identifier of that app: paseapp
3. I have generated the URL already with the identifier: https://marketplace.firefox.com/api/v1/apps/app/paseapp/
4. I found the package url (https://marketplace.firefox.com/downloads/file/230068/paseapp-0.5.5.zip)
5. I downloaded the app may have access to your code and/or art
Actual results:
I can download the zip file containing the entire app, and can access their code, art (images, sound, video), etc.
I know that the web is open by nature, but now that Mozilla has allies strategic as it is Disney, EA, and other large enterprises, many of these companies would not be at all happy to know that anyone tien access code and/or art .
I think in this sense we must take some care, as the press lately is also very attentive to any "failure" of security and sometimes exaggerate things just for sensationalism.
Expected results:
I think the Marketplace API is pretty good but the URL that contains the ZIP with all the app should not be accessible for everyone, only for people in the Marketplace and the company and its developers.
Reporter | ||
Updated•10 years ago
|
Summary: You can download the code for the app → You can download the code for the package apps
Comment 1•10 years ago
|
||
This is by design.
Updated•10 years ago
|
Group: client-services-security
Comment 2•10 years ago
|
||
how would one install the app if the zip file wasn't available for download?
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 3•10 years ago
|
||
(In reply to Andrew Williamson [:eviljeff] from comment #2)
> how would one install the app if the zip file wasn't available for download?
It definitely has to be hosted somewhere and should be able to be accessible for download ... But that URL must be accessible by all? My big problem with its current operation is that I could easily download the zip with the app to steal intellectual property, including Mozilla's partners, which on some occasions it could be misconstrued or cause conflicts with partners.
Comment 4•10 years ago
|
||
Free apps can be installed without logging into Marketplace, so yes, it does need to be accessible to all. At the point of installation the app must be download (if its packaged) - at that point its trivial to copy the zip from the folder (for Desktop), or used ADB to pull the zip from the device (for Android/FxOS).
Such is the design of webapps.
You need to log in
before you can comment on or make changes to this bug.
Description
•