Open Bug 1226613 Opened 4 years ago Updated Last year

Search plugins with a name that's very similar to the name of plugins we ship shouldn't get installed

Categories

(Firefox :: Search, defect, P3)

defect

Tracking

()

Tracking Status
firefox45 --- affected

People

(Reporter: florian, Unassigned)

Details

(Whiteboard: [hijacking][fxsearch])

When installing a search plugin, we have a duplication check that ensures a user-installed search plugins can't have the same name as an engine we ship.

This check is sometimes abused by hijackers. Some insert whitespace or punctuation at the end of the name (see bug 1154835), some insert additional words that don't convey much meaning.
For example, we ship an engine called "Yahoo" and according to telemetry data, some of our users have an engine called "Yahoo Search" that has been installed.

I think we should harden our duplication check by also checking for a list of alternative names for the engines we ship. This means each default engine file would (optionally) contain a list of alternative names.
sounds like ignoring special chars and just considering [a-zA-Z0-9] in the current comparison code could already achieve some results without too much effort?
(In reply to Marco Bonardo [::mak] from comment #1)
> sounds like ignoring special chars and just considering [a-zA-Z0-9] in the
> current comparison code could already achieve some results without too much
> effort?

Yes, that's the first step that I will implement in bug 1154835. It's not as simple as 'just considering [a-zA-Z0-9]' because the default names for Yandex in Russia and Baidu in China don't use these characters.
heh right, we'd need a way to remove punctuation from different locales, that is something feasible with a library like http://xregexp.com/plugins/ (MIT license, so I think we can use it), and probably with ICU, that we bundle (but it's not trivial to implement unicode \P regex).
It should be possible with that library to define a regex that matches anything that is not a letter or an ideograph.
Please remember that not all users may want to be forced to use Mozilla search plugins for services covered by default search plugins and part of usage mentioned above could be work around for issues like bug 353056.
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.