Closed
Bug 1213919
Opened 10 years ago
Closed 10 years ago
Need to use a 'permitted-list' for handling certificates when opening signed packages for reviewers
Categories
(Core Graveyard :: DOM: Apps, defect, P1)
Core Graveyard
DOM: Apps
Tracking
(blocking-b2g:2.5+, firefox44 fixed)
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | fixed |
People
(Reporter: ddurst, Assigned: fabrice)
References
Details
Attachments
(1 file)
|
2.28 KB,
patch
|
ferjm
:
review+
|
Details | Diff | Splinter Review |
In https://mxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#3726, the reviewer certs are associated with the root "/reviewers/" which is true for webapps, but not for add-ons (those are using /content/addon/review/).
Fabrice suggested a permitted list instead of additional hard-coding.
This is currently blocking reviewer approval of submitted add-ons for 2.5.
|
Assignee | |
Comment 1•10 years ago
|
||
David, can you test this patch locally to verify?
Assignee: nobody → fabrice
Attachment #8672775 -
Flags: review?(ferjmoreno)
|
||
Comment 2•10 years ago
|
||
(In reply to [:fabrice] Fabrice Desré from comment #1)
> Created attachment 8672775 [details] [diff] [review]
> reviewer-cert-paths.patch
It needs to apply to production as well as a dev - the patch is only changing dev.
|
||
Comment 3•10 years ago
|
||
Comment on attachment 8672775 [details] [diff] [review]
reviewer-cert-paths.patch
Review of attachment 8672775 [details] [diff] [review]:
-----------------------------------------------------------------
LGTM
Attachment #8672775 -
Flags: review?(ferjmoreno) → review+
|
|
||
Comment 5•10 years ago
|
||
can you fix this to apply to production marketplace too?
Flags: needinfo?(fabrice)
|
|
Assignee | |
Comment 6•10 years ago
|
||
Bustage follow up:
https://hg.mozilla.org/integration/b2g-inbound/rev/2bd66074e01a
(In reply to Andrew Williamson [:eviljeff] from comment #5)
> can you fix this to apply to production marketplace too?
I did in the followup.
Flags: needinfo?(fabrice)
|
||
Comment 7•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
|
Reporter | |
Comment 8•10 years ago
|
||
Reopening based on https://bugzilla.mozilla.org/show_bug.cgi?id=1213860#c6
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Updated•10 years ago
|
blocking-b2g: --- → 2.5+
|
|
Reporter | |
Comment 9•10 years ago
|
||
(Pasting here from bug 1213860 to save you a crosslink)
https://marketplace.firefox.com/extension/1ee2f3ed13e842fab67afed75492333b/manifest.json is 404 because it's the public mini-manifest URL. The reviewer mini-manifest URL is different, it's per version and the prefix is /extension/reviewers/.
I'm not sure what's causing your issue, but in any case the whitelist to pick reviewer certs in Gecko seems wrong to me:
https://dxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#1068
https://dxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#3746
Instead of whitelisting "/reviewers/,/content/addon/review/" it should whitelist "/reviewers/,/extension/reviewers/", since it's the manifest that needs to be whitelisted, not the install origin.
Priority: P2 → P1
|
|
Reporter | |
Updated•10 years ago
|
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•