xpinstall.enabled can be bypassed by drag and dropping .xpi file into the about:addons page

RESOLVED INVALID

Status

()

RESOLVED INVALID
3 years ago
a year ago

People

(Reporter: josip.semren, Unassigned)

Tracking

({sec-moderate})

41 Branch
sec-moderate
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20150929144111

Steps to reproduce:

Drag and dropped .xpi file into the about:addons page while xpinstall.enabled was false.


Actual results:

The addon was installed without any problems.


Expected results:

It should not have been installed at all. The result should have been a pop-up with the message ''Software installation has been disabled by your system administrator''.
(Reporter)

Updated

3 years ago
Keywords: sec-moderate

Updated

3 years ago
Component: Untriaged → Add-ons Manager
Product: Firefox → Toolkit
xpinstall.enabled is only intended to block websites initiating add-on installs.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

3 years ago
(In reply to Dave Townsend [:mossop] from comment #1)
> xpinstall.enabled is only intended to block websites initiating add-on
> installs.

The setting doesn't just block installs initialized by websites - 
trying to open a local .xpi file via its file:/// url or its path is blocked as expected.

It is only when opening the Add-on manager and either using the "Install Add-on From File" or drag&dropping
that the setting gets completely ignored.

The expected behavior of this setting is that the entire add-on installation system gets enabled/disabled, 
as described under http://kb.mozillazine.org/About:config_entries#XPInstall.

As it is, our users can freely bypass it by downloading add-ons to a file and installing from file,
(or installing a file they got via e-mail) which is a pretty bad scenario.
(Reporter)

Updated

3 years ago
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
(In reply to Josip Semren from comment #2)
> (In reply to Dave Townsend [:mossop] from comment #1)
> > xpinstall.enabled is only intended to block websites initiating add-on
> > installs.
> 
> The setting doesn't just block installs initialized by websites - 
> trying to open a local .xpi file via its file:/// url or its path is blocked
> as expected.

This is effectively the same mechanism as installing from websites for unfortunate architecture reasons.

> It is only when opening the Add-on manager and either using the "Install
> Add-on From File" or drag&dropping
> that the setting gets completely ignored.

It also doesn't block add-on updates or sideloading.

> The expected behavior of this setting is that the entire add-on installation
> system gets enabled/disabled, 
> as described under http://kb.mozillazine.org/About:config_entries#XPInstall.

The page there (which isn't official Mozilla documentation as it happens) says it disables the XPInstall system. This is the system that allows webpages to install add-ons into Firefox and as it says when we exposed it in prefs it was labelled as "Allow web sites to install software".
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.