Closed Bug 1359837 Opened 8 years ago Closed 8 years ago

If xpinstall.enabled is false and locked, pages should not be able to use mozAddonManager

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 54+ fixed
firefox53 --- wontfix
firefox54 + fixed
firefox55 + fixed
firefox59 --- verified

People

(Reporter: mkaply, Assigned: mkaply)

References

Details

(Keywords: sec-want, Whiteboard: [adv-main54-][adv-esr52.2-][adv-main59-] triaged)

Attachments

(1 file)

Bug 1359837 - Block mozAddonsManager if xpinstall.enabled is false/locked.
59 bytes, text/x-review-board-request
mossop
: review+
jcristau
: approval-mozilla-beta+
ritu
: approval-mozilla-esr52+
Details
If xpinstall.enabled is set to false and locked, you can still install test pilot: https://testpilot.firefox.com/ You should not be able to. I imagine you could also use the discovery pane, but we remove the discovery pane if xpinstall.enabled is false, so I couldn't test that.
I'm going to mark this as a security bug, just in case. CC dveditz to make that call.
Group: toolkit-core-security
(In reply to Mike Kaply [:mkaply] from comment #0) > If xpinstall.enabled is set to false and locked, you can still install test > pilot: > > https://testpilot.firefox.com/ > > You should not be able to. > > I imagine you could also use the discovery pane, but we remove the discovery > pane if xpinstall.enabled is false, so I couldn't test that. You can load it directly, for instance: https://discovery.addons.mozilla.org/en-US/firefox/discovery/pane/55.0a1/Darwin/normal It does indeed not have any effect - I think you're correct and this pref should be honored for mozAddonManager. I don't think this needs to be a security bug - having trouble thinking how this could be exploited. It's certainly not something the folks setting this pref probably want though.
Group: toolkit-core-security
Keywords: sec-want
[Tracking Requested - why for this release]: We'll need this on the ESR if possible. There appears to be no way to remove this programmatically by overriding the page via a frame script.
tracking-firefox-esr52: --- → ?
QA Contact: mozilla
How does the test pilot page react when this patch is in and the setting set?
Flags: needinfo?(mozilla)
Even though there is Javascript in the code that checks for mozAddonManager, it seems to assume it is going to have it. It still shows the Install button and when you click it, it changes to Installing and then you get the notification that the install was blocked. So not perfect, but it doesn't do anything really strange. Ideally it should be smart enough to not show the install button.
Flags: needinfo?(mozilla)
Comment on attachment 8862897 [details] Bug 1359837 - Block mozAddonsManager if xpinstall.enabled is false/locked. https://reviewboard.mozilla.org/r/134778/#review138160 r+ for the code but please check that the test pilot site and the discovery page do something sane before landing this
Attachment #8862897 - Flags: review?(dtownsend) → review+
Here's code you can use on the Chrome scratchpad to test this var prefs = Services.prefs.getDefaultBranch(null); prefs.setBoolPref("xpinstall.enabled", false); prefs.lockPref("xpinstall.enabled");
cc'ing Stuart. If this about:config pref is set, mozAddonsManager will not be present. So we might want to ensure we've got a fallback for that in the future. I think right now it falls back to just linking to the .xpi and the normal installation flow.
just making sure this is good to land and you don't need anything :)
Flags: needinfo?(mozilla)
Whiteboard: triaged
(In reply to Andy McKay [:andym] from comment #10) > cc'ing Stuart. If this about:config pref is set, mozAddonsManager will not > be present. So we might want to ensure we've got a fallback for that in the > future. I think right now it falls back to just linking to the .xpi and the > normal installation flow. Yep we have a fallback in place now if mozAddonmanager isn't available so this shouldn't require special handling at the amo end of things.
Here's a video of the experience on the test pilot site. https://youtu.be/MCCWyQ4O4N0 I think the way it works today is fine (no need to update the site)
Flags: needinfo?(mozilla)
Video in comment 13 is for you, Dave, to make sure you are OK with it.
Flags: needinfo?(dtownsend)
+ni John Gruen to review that experience. Any changes to it are likely on the Test Pilot side, though.
Flags: needinfo?(jgruen)
thanks :chuck. will flag this for the UX team in our meeting tomorrow; i bet they can crank out a fix pretty fast. I'll leave the NI open until we resolve in GH
Flags: needinfo?(jgruen)
The user gets a message saying what happens. This seems fine to me.
Flags: needinfo?(dtownsend)
Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/4639f041d809 Block mozAddonsManager if xpinstall.enabled is false/locked. r=mossop
https://hg.mozilla.org/mozilla-central/rev/4639f041d809
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Please request Beta and ESR52 approval on this when you get a chance. Also, I don't suppose we could write a test for this, could we?
Assignee: nobody → mozilla
status-firefox53: --- → wontfix
status-firefox54: --- → affected
status-firefox-esr52: --- → affected
tracking-firefox54: --- → ?
tracking-firefox55: --- → ?
Flags: needinfo?(mozilla)
Comment on attachment 8862897 [details] Bug 1359837 - Block mozAddonsManager if xpinstall.enabled is false/locked. Approval Request Comment [Feature/Bug causing the regression]: Addon installs from test pilot [User impact if declined]: Admins can't prevent installs from test pilot [Is this code covered by automated tests?]: No [Has the fix been verified in Nightly?]: Yes [Needs manual test from QE? If yes, steps to reproduce]: Using snippet in bug, lock preferences. Verify install doesn't work. [List of other uplifts needed for the feature/fix]: [Is the change risky?]: Low. [Why is the change risky/not risky?]: Very specialized in what it does. [String changes made/needed]: [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: Admin can't prevent addon installs Fix Landed on Version: 54 Risk to taking this patch (and alternatives if risky): Low String or UUID changes made by this patch: None See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Flags: needinfo?(mozilla)
Attachment #8862897 - Flags: approval-mozilla-esr52?
Attachment #8862897 - Flags: approval-mozilla-beta?
As far as a test goes, I'm investigating.
Comment on attachment 8862897 [details] Bug 1359837 - Block mozAddonsManager if xpinstall.enabled is false/locked. respect xpinstall.enabled locking for addons manager, beta54+ Should be in 54.0b13
Attachment #8862897 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify+
Comment on attachment 8862897 [details] Bug 1359837 - Block mozAddonsManager if xpinstall.enabled is false/locked. ESR admins should be able to prevent installs from Test Pilot, ESR52+
Attachment #8862897 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Whiteboard: triaged → [adv-main54-][adv-esr52.2-] triaged
Hi Mike! I encounter some problems verifying this issue: It seems that the issue mentioned in comment 0 is not fixed on FX55 because it can be reproduced by following the steps mentioned in comment 9 on Firefox 55.0a1 (Build Id:20170606030207) on Windows 10 64bit, macOS 10.11.6 and Ubuntu 16.04 64bit. This issue is not fixed on Firefox 54.0 (Build Id:20170605134926) on macOS 10.11.6 (It seems that it is fixed on Firefox 54.0 usin Windows 10 64bit and Ubuntu 16.04 64bit). Can you take a look into this? Thanks!
Flags: needinfo?(mozilla)
So it looks like the behavior is different on the Test Pilot site, but in my testing, the installs are still blocked. If you click the intial button, it says test pilot is installed but it is not. If you then click on an experiment and then click the install button, you get a message that the install was blocked. Is this what you are seeing?
Flags: needinfo?(mozilla)
I can see the following: On Firefox 56.0a1(BuildId:20170619030208): After clicking the button to install the Test Pilot, the installation process is successful and the add-on is actually installed. Also this behavior is the same with the experiments (they are successfully installed and added to Firefox) On Firefox 55.0b3(BuildId:20170619071723): Test pilot is not installed and the message that the install was blocked is displayed (On Windows 10 64bit and Ubuntu 16.04 64bit). Test pilot is installed and added to Firefox on macOS 10.11.6. Here is a video of this issue on 56.0a1 (https://drive.google.com/open?id=0B94iuIVMr-TEQVBOYnBUcWZVejg). Thanks!
Flags: needinfo?(mozilla)
Hi Mike! Any thoughts regarding comment 29 ? Thanks!
On Firefox 56, prefs->PrefIsLocked("xpinstall.enabled", &isLocked); is coming back as false. This seems like a pretty serious regression. I'm investigating.
Flags: needinfo?(mozilla)
This is e10s related. If e10s is enabled, the check for lockpref fails. There's a comment here: http://searchfox.org/mozilla-central/source/modules/libpref/nsPrefBranch.cpp#613 That says: ENSURE_MAIN_PROCESS("Cannot check PrefIsLocked from content process:", aPrefName); but I don't get this error anywhere. And when I remove that line, it still doesn't work.
Depends on: 1394578
I verified this is working with 1394578 in. Please retest on nightly
I can confirm that this issue is verified fixed using Firefox 59.0a1 (BuildId:20171205100345) on Windows 10 64bit, macOS 10.11 and Ubuntu 16.06 64bit.
Status: RESOLVED → VERIFIED
status-firefox59: --- → verified
Whiteboard: [adv-main54-][adv-esr52.2-] triaged → [adv-main54-][adv-esr52.2-][adv-main59-] triaged
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: