Closed Bug 1251268 Opened 4 years ago Closed 4 years ago

MozParam condition="pref" should use values from the default pref branch and URI encode them

Categories

(Firefox :: Search, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
Firefox 47
Tracking Status
firefox47 --- fixed

People

(Reporter: florian, Assigned: florian)

Details

Attachments

(1 file)

We observed in Telemetry data that some parameters controlled by preferences in some built-in search plugins were being abused.

In bug 1247562 we changed our built-in plugins to no longer use the MozParam condition="pref" feature, but unfortunately this change won't have any effect for plugins that were distributed by distribution partners, and there's evidence that these are being abused too.

There are 2 things we can do to stop this:
- use the values from the default preference branch: Preferences set from distribution.ini go to the default branch, and it seems abusers are currently just adding values in the user's prefs.js file
- we've seen URLs with a confusing extra parameter; it turns out the pref was being set to something like "value&tracking=id", and the current code doesn't encode parameter values.
Attached patch PatchSplinter Review
Attachment #8723607 - Flags: review?(adw)
Comment on attachment 8723607 [details] [diff] [review]
Patch

Review of attachment 8723607 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.
Attachment #8723607 - Flags: review?(adw) → review+
https://hg.mozilla.org/integration/fx-team/rev/67ab004a728d94fc173a4a451c8c4e419555c2e9
Bug 1251268 - MozParam condition="pref" should use values from the default pref branch and URI encode them, r=adw.
https://hg.mozilla.org/mozilla-central/rev/67ab004a728d
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 47
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.