Closed Bug 1356292 Opened 7 years ago Closed 7 years ago

Installing add-ons from non-whitelisted sites no longer gives the option to allow the install if the addon load is redirected

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 53+ verified
firefox53 blocking verified
firefox54 + fixed
firefox55 + fixed

People

(Reporter: mossop, Assigned: mossop)

References

Details

Attachments

(1 file, 2 obsolete files)

combined patch
4.98 KB, patch
mossop
: review+
lizzard
: approval-mozilla-aurora+
lizzard
: approval-mozilla-beta+
lizzard
: approval-mozilla-release+
lizzard
: approval-mozilla-esr52+
Details | Diff | Splinter Review 
[Tracking Requested - why for this release]:

[Tracking Requested - why for this release]:

[Tracking Requested - why for this release]:

[Tracking Requested - why for this release]:

Normally when installing from a non-whitelisted site we give a doorhanger offering allow or don't allow options to the user. This was broken by bug 1353975 and now the install is just blocked.
Blocks: CVE-2017-5466
As an example go to https://github.com/mozilla/onboard/releases/ and click the XPI to install.
The changes in bug 1353975 set the "principal to inherit" to a nullprincipal when an HTTP redirect happens for a document load.  

Looking at the testcase in comment 1, the link points to https://github.com/mozilla/onboard/releases/download/v1.0.0-rc8/onboard-v1.xpi which redirects to <https://github-cloud.s3.amazonaws.com/releases/85563262/d64b0a48-1eed-11e7-82d1-218bfdee45ea.xpi?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20170413%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20170413T173153Z&X-Amz-Expires=300&X-Amz-Signature=44bdceab6c287701ee53e10ded0b7b235ecc664f35e95e6bdfd83556559c90ea&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=inline%3B%20filename%3Donboard-v1.xpi&response-content-type=application%2Fx-xpinstall> so it's hitting the "document load being redirected" codepath.

Why is this amContentHandler code examining the principalToInherit at all in cases when it's not relevant (as here; http:// doesn't use the principalToInherit)?  Looks like it dates back to the fix for bug 1297338, but before then it was just using the triggeringPrincipal... Is the idea to determine "which page requested the install" or something?  If so, should the relevant principal here be the one for https://github.com/mozilla/onboard/releases/ or the one for https://github.com/mozilla/onboard/releases/download/v1.0.0-rc8/onboard-v1.xpi (which may have been on a different site, but wasn't in this case)?  The latter is what decided where to actually redirect to and hence where the addon is really coming from....
Summary: Installing add-ons from non-whitelisted sites no longer gives the option to allow the install → Installing add-ons from non-whitelisted sites no longer gives the option to allow the install if the addon load is redirected
(In reply to Boris Zbarsky [:bz] (still a bit busy) (if a patch has no decent message, automatic r-) from comment #3)
> Why is this amContentHandler code examining the principalToInherit at all in
> cases when it's not relevant (as here; http:// doesn't use the
> principalToInherit)?  Looks like it dates back to the fix for bug 1297338,
> but before then it was just using the triggeringPrincipal... Is the idea to
> determine "which page requested the install" or something?  If so, should
> the relevant principal here be the one for
> https://github.com/mozilla/onboard/releases/ or the one for
> https://github.com/mozilla/onboard/releases/download/v1.0.0-rc8/onboard-v1.
> xpi (which may have been on a different site, but wasn't in this case)?  The
> latter is what decided where to actually redirect to and hence where the
> addon is really coming from....

We care about the page that originally initiated the install regardless of redirects, i.e the original link. If a page links to an AMO url that redirects to the real XPI to install we want to compare the original page's principal, not AMO's.
OK.  So...

Normally the "triggering principal" would be the right thing in that situation.  The only reason it's not is because of bug 1297338 comment 50 and bug 1297338 comment 55: we have tests for what happens when an XPI url is loaded from the URL bar, and those tests expect "the page that initiated the install" to be the page that happened to be loaded when the user hit enter on the pasted XPI link, afaict.  And I'm not sure that's a reasonable expectation to start with.

We did things this way because the ways principalToInherit was used were very limited at first.  But now it's being used in more different ways, so we should probably revisit this decision, and perhaps the substance of the browser_bug553455.js test.  Or at least the test_urlbar() parts of it.
(In reply to Boris Zbarsky [:bz] (still a bit busy) (if a patch has no decent message, automatic r-) from comment #5)
> OK.  So...
> 
> Normally the "triggering principal" would be the right thing in that
> situation.  The only reason it's not is because of bug 1297338 comment 50
> and bug 1297338 comment 55: we have tests for what happens when an XPI url
> is loaded from the URL bar, and those tests expect "the page that initiated
> the install" to be the page that happened to be loaded when the user hit
> enter on the pasted XPI link, afaict.  And I'm not sure that's a reasonable
> expectation to start with.

I'm not sure if I'm just restating what you already understand here, but installing add-ons by entering an XPI url into the address bar has been broken for some time, something that ideally we would fix but was apparently hard to do at the time. I believe it was bug 1042699 that broke that.
> but installing add-ons by entering an XPI url into the address bar has been broken for some time

I did not know that, in fact.  ;)

Given that, what is test_urlbar() testing?
(In reply to Boris Zbarsky [:bz] (still a bit busy) (if a patch has no decent message, automatic r-) from comment #7)
> > but installing add-ons by entering an XPI url into the address bar has been broken for some time
> 
> I did not know that, in fact.  ;)
> 
> Given that, what is test_urlbar() testing?

It's testing that it is blocked with the error message that we expect.
OK.  Why does/should it get blocked?  That is, what is the actual security check we perform?  Why did that security check stop working right when we started using "system" as the triggering principal for loads via the URL bar (which is what necessitated the change to using principalToInherit to make the test happy)?

That is, loads via the URL bar currently end up looking, for purposes of that test, as if they came from the page that was loaded when the URL bar load was kicked off, right?  But we don't want to block installs from pages, but _do_ want to block them from the url bar, sounds like, so I'm a bit confused as to what's being tested, exactly.
Tracking for 53. I'm not clear yet here what behavior we expect  and whether this is a 53 release blocking issue.
status-firefox53: --- → affected
status-firefox54: --- → affected
status-firefox55: --- → affected
tracking-firefox53: ?+
tracking-firefox54: ?+
tracking-firefox55: ?+
Comment 0 is still valid and this should be a release blocker.
Yeah seems release blocking. I will hold the 53 RC 3 build. 
We are at some risk now of slipping the release date.
tracking-firefox53: +blocking
ESR52 would also be affected.
status-firefox-esr52: --- → affected
I think Boris is already mentioning everything that's relevant.

I used the STRs from comment 0:
* go to https://github.com/mozilla/onboard/releases/
* click the XPI to install.
* Result: Nightly prevented addon installation
* Expected: Addon installation should be allowed

Just for the sake of completeness and to avoid false expectations, here are the values in the loadInfo:
  channelURI: https://github.com/mozilla/onboard/releases/download/v1.0.0-rc8/onboard-v1.xpi
  loadingPrincipal: nullptr
  triggeringPrincipal: https://github.com/mozilla/onboard/releases/
  principalToInherit: https://github.com/mozilla/onboard/releases/
  contentPolicyType: 6
  securityMode: SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL, 
  initalSecurityChecksDone: yes
  enforceSecurity: yes

and after the redirect:

doContentSecurityCheck {
  channelURI: https://github-cloud.s3.amazonaws.com/releases/85563262/d64b0a48-1eed-11e7-82d1-218bfdee45ea.xpi?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20170413%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20170413T190658Z&X-Amz-Expires=300&X-Amz-Signature=cffef173263b01b99b72808c138772b1ba94801991b9bc494f9aec0be39c667b&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=inline%3B%20filename%3Donboard-v1.xpi&response-content-type=application%2Fx-xpinstall
  loadingPrincipal: nullptr
  triggeringPrincipal: https://github.com/mozilla/onboard/releases/
  principalToInherit: NullPrincipal
  contentPolicyType: 6
  securityMode: SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL, 
  initalSecurityChecksDone: yes
  enforceSecurity: yes

Probably it's best if we understand what test_urlBar() within browser_bug553455.js is testing precisely and then we can take it from there.
Flags: needinfo?(ckerschb)
(In reply to Boris Zbarsky [:bz] (still a bit busy) (if a patch has no decent message, automatic r-) from comment #9)
> OK.  Why does/should it get blocked?  That is, what is the actual security
> check we perform?  Why did that security check stop working right when we
> started using "system" as the triggering principal for loads via the URL bar
> (which is what necessitated the change to using principalToInherit to make
> the test happy)?
> 
> That is, loads via the URL bar currently end up looking, for purposes of
> that test, as if they came from the page that was loaded when the URL bar
> load was kicked off, right?  But we don't want to block installs from pages,
> but _do_ want to block them from the url bar, sounds like, so I'm a bit
> confused as to what's being tested, exactly.

The ideal is that urls initiated from the url bar bypass the whitelist and start the install without the whitelist prompt. Before bug 1042699 we did that by seeing that the internalReferer of the load was null. Bug 1042699 necessitated switching to checking the triggeringPrincipal for loads and if it was a null principal banning the install. This had the side effect of blocking installs from the url bar where the triggeringPrincipal was also null. We punted on fixing that because it was more important to fix the security issue than maintaining that particular feature. I added a test verifying that url bar installs did what we now "expected".

In retrospect I probably should have commented in that test explaining that it wasn't really what we wanted to happen because it sounds like in bug 1297338 we might have made installs from the url bar work, seen it broke the test and so assumed it wasn't something we wanted and fixed that. Is that a fair summary? I clearly should have read the bug more thoroughly before reviewing :(
Just chatted with :mossop on IRC. The expected behavior:

* when pasting "https://github.com/mozilla/onboard/releases/download/v1.0.0-rc9/onboard-v1.xpi" into the address bar?
-> Install should be allowed

* when clicking the link for the *.xpi on "https://github.com/mozilla/onboard/releases/"?
-> check github.com against our whitelist and (as it is not in there by default) we should show a doorhanger asking the user if they want to allow the install or not
> it sounds like in bug 1297338 we might have made installs from the url bar work

Yep.  Specifically, after that bug, loads from the url bar have a system principal as triggering principal.  Per bug 1042699 comment 37 that would make them work.

So it sounds to me like we should do the following:

1) Back out https://hg.mozilla.org/mozilla-central/diff/57d473c3ca22/toolkit/mozapps/extensions/amContentHandler.js

2) Back out https://hg.mozilla.org/mozilla-central/rev/a3056e9ae41a

3) Fix the browser_bug553455.js by adjusting the test expectation.

Is that about right?

Christoph or I (or anyone else) can obviously do #1 and #2 quite easily.  Could use help on #3.
(In reply to Boris Zbarsky [:bz] (still a bit busy) (if a patch has no decent message, automatic r-) from comment #17)
> > it sounds like in bug 1297338 we might have made installs from the url bar work
> 
> Yep.  Specifically, after that bug, loads from the url bar have a system
> principal as triggering principal.  Per bug 1042699 comment 37 that would
> make them work.
> 
> So it sounds to me like we should do the following:
> 
> 1) Back out
> https://hg.mozilla.org/mozilla-central/diff/57d473c3ca22/toolkit/mozapps/
> extensions/amContentHandler.js
> 
> 2) Back out https://hg.mozilla.org/mozilla-central/rev/a3056e9ae41a
> 
> 3) Fix the browser_bug553455.js by adjusting the test expectation.
> 
> Is that about right?
> 
> Christoph or I (or anyone else) can obviously do #1 and #2 quite easily. 
> Could use help on #3.

I'm working on #3 now.
(In reply to Boris Zbarsky [:bz] (still a bit busy) (if a patch has no decent message, automatic r-) from comment #17)
> So it sounds to me like we should do the following:
> 
> 1) Back out
> https://hg.mozilla.org/mozilla-central/diff/57d473c3ca22/toolkit/mozapps/
> extensions/amContentHandler.js
> 
> 2) Back out https://hg.mozilla.org/mozilla-central/rev/a3056e9ae41a
> 
> 3) Fix the browser_bug553455.js by adjusting the test expectation.
> 
> Is that about right?

That's what I thought actually, and I suppose this is what the attached patch is doing, or have I missed something? Anyway, when looking at the expected behavior for:

> * when pasting
> "https://github.com/mozilla/onboard/releases/download/v1.0.0-rc9/onboard-v1.
> xpi" into the address bar?
> -> Install should be allowed

Actual result:
[Nightly has prevented this site from installling an unverified addon.]

> * when clicking the link for the *.xpi on
> "https://github.com/mozilla/onboard/releases/"?
> -> check github.com against our whitelist and (as it is not in there by
> default) we should show a doorhanger asking the user if they want to allow
> the install or not

Actual result:
Nightly prevented this site from asking you to install software on your computer.
[Don't Allow] [Allow]

--> click allow

Nightly has prevented this site from installling an unverified addon.


That doesn't sound right in the end, does it? What have I missed?
Attachment #8858126 - Flags: feedback?(bzbarsky)
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #19)
> Created attachment 8858126 [details] [diff] [review]
> bug_1356292_addon_redirect_problem.patch
> 
> (In reply to Boris Zbarsky [:bz] (still a bit busy) (if a patch has no
> decent message, automatic r-) from comment #17)
> > So it sounds to me like we should do the following:
> > 
> > 1) Back out
> > https://hg.mozilla.org/mozilla-central/diff/57d473c3ca22/toolkit/mozapps/
> > extensions/amContentHandler.js
> > 
> > 2) Back out https://hg.mozilla.org/mozilla-central/rev/a3056e9ae41a
> > 
> > 3) Fix the browser_bug553455.js by adjusting the test expectation.
> > 
> > Is that about right?
> 
> That's what I thought actually, and I suppose this is what the attached
> patch is doing, or have I missed something? Anyway, when looking at the
> expected behavior for:
> 
> > * when pasting
> > "https://github.com/mozilla/onboard/releases/download/v1.0.0-rc9/onboard-v1.
> > xpi" into the address bar?
> > -> Install should be allowed
> 
> Actual result:
> [Nightly has prevented this site from installling an unverified addon.]

This is the right behaviour. This add-on is unsigned so you need to flip xpinstall.signatures.required to false for the install to proceed beyond the signing check.

> > * when clicking the link for the *.xpi on
> > "https://github.com/mozilla/onboard/releases/"?
> > -> check github.com against our whitelist and (as it is not in there by
> > default) we should show a doorhanger asking the user if they want to allow
> > the install or not
> 
> Actual result:
> Nightly prevented this site from asking you to install software on your
> computer.
> [Don't Allow] [Allow]
> 
> --> click allow
> 
> Nightly has prevented this site from installling an unverified addon.
> 
> 
> That doesn't sound right in the end, does it? What have I missed?

Same again.
Comment on attachment 8858126 [details] [diff] [review]
bug_1356292_addon_redirect_problem.patch

r=me
Attachment #8858126 - Flags: review+
Attachment #8858126 - Flags: feedback?(bzbarsky)
Attachment #8858126 - Flags: feedback+
Attached patch testcase change (obsolete) — Splinter Review 
This changes test_urlbar to behave the way we want, that is that XPIs entered on the url bar are whitelisted and install proceeds.
Assignee: nobody → dtownsend
Attachment #8858129 - Flags: review?(aswan)
We should probably add a testcase for the unwhitelisted install that gets redirect case that caught this in the first place, might take me a little longer to do that.
This is happening with Amazon as well. See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1356388

Can we verify they work after the fix as well please?
Comment on attachment 8858129 [details] [diff] [review]
testcase change

Review of attachment 8858129 [details] [diff] [review]:
-----------------------------------------------------------------

It would be nice to create functions for repeated fragments of code but I think that's outside the scope of what's needed immediately.
r=me with the `Services.perms.remove()` call removed.

::: browser/base/content/test/general/browser_bug553455.js
@@ +733,5 @@
> +    is(notification.getAttribute("label"),
> +             "XPI Test will be installed after you restart " + gApp + ".",
> +             "Should have seen the right message");
> +
> +    let installs = yield getInstalls();

AddonManager methods now do promises natively so this could be `yield AddonManager.getAllInstalls();` but keeping I guess keeping it consistent with the rest of this file is probably better.

@@ +737,5 @@
> +    let installs = yield getInstalls();
> +    is(installs.length, 1, "Should be one pending install");
> +    installs[0].cancel();
> +
> +    Services.perms.remove(makeURI("http://example.com/"), "install");

I don't think this belongs here?
Attachment #8858129 - Flags: review?(aswan) → review+
Pushed by dtownsend@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1197636189f2
Switch back to triggering principal checks for add-on install permission checking to allow url bar triggered installs to proceed. r=bz, r=aswan
Want to do the uplift request now? We can approve it after this looks ok on m-c.
 
Andrei, can your team verify the case from bug 1356388? Thanks!
Flags: needinfo?(dtownsend)
Flags: needinfo?(andrei.vaida)
Attached patch combined patchSplinter Review 
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: Bug 1353975 broke this on ESR 52 so we should probably take the fix there too.
User impact if declined: Users will be unable to install add-ons from certain websites
Fix Landed on Version: 55
Risk to taking this patch (and alternatives if risky): Low risk, well tested
String or UUID changes made by this patch: None
Attachment #8858126 - Attachment is obsolete: true
Attachment #8858129 - Attachment is obsolete: true
Flags: needinfo?(dtownsend)
Attachment #8858152 - Flags: review+
Attachment #8858152 - Flags: approval-mozilla-release?
Attachment #8858152 - Flags: approval-mozilla-esr52?
Attachment #8858152 - Flags: approval-mozilla-beta?
Attachment #8858152 - Flags: approval-mozilla-aurora?
Comment on attachment 8858152 [details] [diff] [review]
combined patch

Looks good on inbound enough to where let's just get this onto m-r for the RC3 build.
Attachment #8858152 - Flags: approval-mozilla-release?
Attachment #8858152 - Flags: approval-mozilla-release+
Attachment #8858152 - Flags: approval-mozilla-esr52?
Attachment #8858152 - Flags: approval-mozilla-esr52+
Attachment #8858152 - Flags: approval-mozilla-beta?
Attachment #8858152 - Flags: approval-mozilla-beta+
Attachment #8858152 - Flags: approval-mozilla-aurora?
Attachment #8858152 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/189ed7b2306f

We should definitely land a test for this still. In the mean time, manual QA will have to suffice.
status-firefox54: affectedfixed
Flags: in-testsuite?
This needs a rebased patch for ESR52. Dave, please go ahead and push it when ready so we can get the respin going as soon as possible.
Flags: needinfo?(dtownsend)
https://hg.mozilla.org/mozilla-central/rev/1197636189f2
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Reproduced the initial issue using:
- lastpass add-on (from https://www.lastpass.com/?lpInstall)
- amazon add-on (from https://www.amazon.com/gp/BIT/ref=bit_v2_surl_a?bitCampaignCode=A0027)
- noscript add-on (from https://noscript.net/) 

Verified using latest Nightly that the add-ons are successfully installed and the correct message is displayed so the user can Allow or Don't Allow the install, using Firefox 53.0rc-build6 across platforms (Ubuntu 16.04 64bit, macOS 10.12.4, Windows 10 64bit and Windows 7 64bit).
status-firefox53: fixedverified
Flags: needinfo?(andrei.vaida)
The issue was reproduced on 55.0a1 (2017-04-13), using the STR from comment 0, comment 14 and the add-ons from comment 35. We can confirm that it is verified fixed on 52.1.0esr-build3 (20170417065206), using Windows 7 x64, Windows 10 x64, macOS 10.12 and Ubuntu 14.04 x64: the add-ons are successfully installed and the doorhanger offering Allow or Don't Allow options to the user is properly displayed.
status-firefox-esr52: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: