Closed
Bug 1174335
Opened 9 years ago
Closed 9 years ago
Automatic updates shouldn't be served for unlisted add-ons
Categories
(addons.mozilla.org Graveyard :: API, defect)
addons.mozilla.org Graveyard
API
Tracking
(Not tracked)
RESOLVED
FIXED
2015-06
People
(Reporter: jorgev, Assigned: magopian)
References
Details
Apparently AMO is serving automatic updates for unlisted add-ons, which we shouldn't do. Unlisted add-ons should be updated through a custom update URL or however the developer sees fit, but not through AMO.
|
||
Comment 1•9 years ago
|
||
This is the example that was brought to the channel: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=2&id=lcdclock_bloodeye@gmail.com&version=0.4.2&maxAppVersion=2.1.*&status=userEnabled&appID={92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}&appVersion=2.0.15pre&appOS=WINNT&appABI=x86-msvc&locale=en-US¤tAppVersion=2.0.15pre
|
Assignee | |
Comment 2•9 years ago
|
||
Should be fixed now, the services have been restarted, taking the "new" code into account (for history, the fix was in https://github.com/mozilla/olympia/commit/02513213d4d819bc97bada50c44a4c30439130f6 for bug 1144711). However, I'm now seeing that instead of returning a 404, it returns an empty RDF response. Maybe that needs to be fixed?
Assignee: nobody → mathieu
|
|
||
Comment 3•9 years ago
|
||
Doesn't make any difference to Firefox
|
|
Assignee | |
Comment 4•9 years ago
|
||
I was thinking about "not giving out the info" that this or that addon exists on the platform (even though it's not listed). It's a pretty small issue I believe, because one would have to know the link between a guid and an addon? Jorge, what do you think, does it matter at all?
Flags: needinfo?(jorge)
|
Reporter | |
Comment 5•9 years ago
|
||
It does matter. We should avoid revealing if a particular GUID is being signed by us. It's not high priority, but we should fix it.
Flags: needinfo?(jorge)
|
|
Assignee | |
Comment 6•9 years ago
|
||
I was wrong, the empty RDF response is returned for just anything, not only for existing add-ons that have no updates. So there's no leaking of information. Example link for an unlisted addon (it's mine, it's just the same as my listed addon, with an "a" appended to its guid): https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=0.4.2&id=jid1-CzCFymQL7Znp9ga@jetpack&version=0.4.2&maxAppVersion=39.0&status=userEnabled&appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appVersion=39.0&appOS=WINNT&appABI=x86-msvc&locale=en-US¤tAppVersion=39.0 Example link for a non-existing addon (same as above, but appended "non_existent" to its guid): https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=0.4.2&id=jid1-CzCFymQL7Znp9ga_non_existent@jetpack&version=0.4.2&maxAppVersion=39.0&status=userEnabled&appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appVersion=39.0&appOS=WINNT&appABI=x86-msvc&locale=en-US¤tAppVersion=39.0 Marking this bug as fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•