Need to use a 'permitted-list' for handling certificates when opening signed packages for reviewers

VERIFIED FIXED in Firefox 44

Status

Core Graveyard
DOM: Apps
P1
normal
VERIFIED FIXED
3 years ago
7 months ago

People

(Reporter: ddurst, Unassigned)

Tracking

unspecified
mozilla44
Dependency tree / graph

Firefox Tracking Flags

(blocking-b2g:2.5+, feature-b2g:2.5+, firefox44 fixed)

Details

(Reporter)

Description

3 years ago
The path used for the resolution of bug 1213919 seems to be incorrect.

In https://mxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#3726, the reviewer certs are associated with the root "/reviewers/" which is true for webapps, but not for add-ons. This is currently blocking reviewer approval of submitted add-ons for 2.5.

Fabrice suggested a permitted list instead of additional hard-coding. 

The whitelist to pick reviewer certs in Gecko seems wrong:
https://dxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#1071
https://dxr.mozilla.org/mozilla-central/source/dom/apps/Webapps.jsm#3746

Instead of whitelisting "/reviewers/,/content/addon/review/" it should whitelist "/reviewers/,/extension/reviewers/", since it's the manifest that needs to be whitelisted, not the install origin.

Updated

3 years ago
blocking-b2g: --- → 2.5+
feature-b2g: --- → 2.5+
Hey Fabrice, any ideas on who's team this would need help from?
Flags: needinfo?(fabrice)
If the only change is to update the pref to "/reviewers/,/extension/reviewers/" that's a totally trivial change.
Flags: needinfo?(fabrice)
Is this bug not the same as Bug 1213919 ?
(Reporter)

Comment 5

3 years ago
It's a fix on 1213919.
https://hg.mozilla.org/mozilla-central/rev/172b1a3f267f
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Status: RESOLVED → VERIFIED

Updated

7 months ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.