Closed Bug 1217959 Opened 4 years ago Closed 4 years ago

Need to use a 'permitted-list' for handling certificates when opening signed packages for reviewers

Categories

(Core Graveyard :: DOM: Apps, defect, P1)

defect

Tracking

(blocking-b2g:2.5+, feature-b2g:2.5+, firefox44 fixed)

VERIFIED FIXED
mozilla44
blocking-b2g 2.5+
feature-b2g 2.5+
Tracking Status
firefox44 --- fixed

People

(Reporter: ddurst, Unassigned)

References

Details

The path used for the resolution of bug 1213919 seems to be incorrect.

In https://mxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#3726, the reviewer certs are associated with the root "/reviewers/" which is true for webapps, but not for add-ons. This is currently blocking reviewer approval of submitted add-ons for 2.5.

Fabrice suggested a permitted list instead of additional hard-coding. 

The whitelist to pick reviewer certs in Gecko seems wrong:
https://dxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#1071
https://dxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#3746

Instead of whitelisting "/reviewers/,/content/addon/review/" it should whitelist "/reviewers/,/extension/reviewers/", since it's the manifest that needs to be whitelisted, not the install origin.
blocking-b2g: --- → 2.5+
feature-b2g: --- → 2.5+
Hey Fabrice, any ideas on who's team this would need help from?
Flags: needinfo?(fabrice)
If the only change is to update the pref to "/reviewers/,/extension/reviewers/" that's a totally trivial change.
Flags: needinfo?(fabrice)
Is this bug not the same as Bug 1213919 ?
It's a fix on 1213919.
https://hg.mozilla.org/mozilla-central/rev/172b1a3f267f
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.