Closed Bug 1243357 Opened 9 years ago Closed 9 years ago

xpinstall.enabled can be bypassed by drag and dropping .xpi file into the about:addons page

Categories

(Toolkit :: Add-ons Manager, defect)

41 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: josip.semren, Unassigned)

Details

(Keywords: sec-moderate)

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 Build ID: 20150929144111 Steps to reproduce: Drag and dropped .xpi file into the about:addons page while xpinstall.enabled was false. Actual results: The addon was installed without any problems. Expected results: It should not have been installed at all. The result should have been a pop-up with the message ''Software installation has been disabled by your system administrator''.
Keywords: sec-moderate
Component: Untriaged → Add-ons Manager
Product: Firefox → Toolkit
xpinstall.enabled is only intended to block websites initiating add-on installs.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
(In reply to Dave Townsend [:mossop] from comment #1) > xpinstall.enabled is only intended to block websites initiating add-on > installs. The setting doesn't just block installs initialized by websites - trying to open a local .xpi file via its file:/// url or its path is blocked as expected. It is only when opening the Add-on manager and either using the "Install Add-on From File" or drag&dropping that the setting gets completely ignored. The expected behavior of this setting is that the entire add-on installation system gets enabled/disabled, as described under http://kb.mozillazine.org/About:config_entries#XPInstall. As it is, our users can freely bypass it by downloading add-ons to a file and installing from file, (or installing a file they got via e-mail) which is a pretty bad scenario.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
(In reply to Josip Semren from comment #2) > (In reply to Dave Townsend [:mossop] from comment #1) > > xpinstall.enabled is only intended to block websites initiating add-on > > installs. > > The setting doesn't just block installs initialized by websites - > trying to open a local .xpi file via its file:/// url or its path is blocked > as expected. This is effectively the same mechanism as installing from websites for unfortunate architecture reasons. > It is only when opening the Add-on manager and either using the "Install > Add-on From File" or drag&dropping > that the setting gets completely ignored. It also doesn't block add-on updates or sideloading. > The expected behavior of this setting is that the entire add-on installation > system gets enabled/disabled, > as described under http://kb.mozillazine.org/About:config_entries#XPInstall. The page there (which isn't official Mozilla documentation as it happens) says it disables the XPInstall system. This is the system that allows webpages to install add-ons into Firefox and as it says when we exposed it in prefs it was labelled as "Allow web sites to install software".
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.