Closed
Bug 1243357
Opened 9 years ago
Closed 9 years ago
xpinstall.enabled can be bypassed by drag and dropping .xpi file into the about:addons page
Categories
(Toolkit :: Add-ons Manager, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: josip.semren, Unassigned)
Details
(Keywords: sec-moderate)
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20150929144111
Steps to reproduce:
Drag and dropped .xpi file into the about:addons page while xpinstall.enabled was false.
Actual results:
The addon was installed without any problems.
Expected results:
It should not have been installed at all. The result should have been a pop-up with the message ''Software installation has been disabled by your system administrator''.
Reporter | ||
Updated•9 years ago
|
Keywords: sec-moderate
Comment 1•9 years ago
|
||
xpinstall.enabled is only intended to block websites initiating add-on installs.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•9 years ago
|
||
(In reply to Dave Townsend [:mossop] from comment #1)
> xpinstall.enabled is only intended to block websites initiating add-on
> installs.
The setting doesn't just block installs initialized by websites -
trying to open a local .xpi file via its file:/// url or its path is blocked as expected.
It is only when opening the Add-on manager and either using the "Install Add-on From File" or drag&dropping
that the setting gets completely ignored.
The expected behavior of this setting is that the entire add-on installation system gets enabled/disabled,
as described under http://kb.mozillazine.org/About:config_entries#XPInstall.
As it is, our users can freely bypass it by downloading add-ons to a file and installing from file,
(or installing a file they got via e-mail) which is a pretty bad scenario.
Reporter | ||
Updated•9 years ago
|
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Comment 3•9 years ago
|
||
(In reply to Josip Semren from comment #2)
> (In reply to Dave Townsend [:mossop] from comment #1)
> > xpinstall.enabled is only intended to block websites initiating add-on
> > installs.
>
> The setting doesn't just block installs initialized by websites -
> trying to open a local .xpi file via its file:/// url or its path is blocked
> as expected.
This is effectively the same mechanism as installing from websites for unfortunate architecture reasons.
> It is only when opening the Add-on manager and either using the "Install
> Add-on From File" or drag&dropping
> that the setting gets completely ignored.
It also doesn't block add-on updates or sideloading.
> The expected behavior of this setting is that the entire add-on installation
> system gets enabled/disabled,
> as described under http://kb.mozillazine.org/About:config_entries#XPInstall.
The page there (which isn't official Mozilla documentation as it happens) says it disables the XPInstall system. This is the system that allows webpages to install add-ons into Firefox and as it says when we exposed it in prefs it was labelled as "Allow web sites to install software".
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•