Closed
Bug 1435147
Opened 6 years ago
Closed 6 years ago
mozregression for Windows installation steps are insecure (download via http://)
Categories
(Testing :: mozregression, enhancement)
Testing
mozregression
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jan, Unassigned)
References
()
Details
(Keywords: nightly-community)
Attachments
(1 file)
2.42 MB,
image/png
|
Details |
https://mozilla.github.io/mozregression/install.html > Download and install python 2.7 from ActiveState. It will include pip and set python in your PATH. 1) "ActiveState" links to http://www.activestate.com/activepython/downloads which redirects to https://www.activestate.com/activepython/downloads which links to https://www.activestate.com/activepython/downloads/thank-you?dl=http://downloads.activestate.com/ActivePython/releases/2.7.14.2717/ActivePython-2.7.14.2717-win64-x64-404905.exe which let's me download http://downloads.activestate.com/ActivePython/releases/2.7.14.2717/ActivePython-2.7.14.2717-win64-x64-404905.exe 2) https://github.com/mozilla/mozregression contains "http://mozilla.github.com/mozregression" multiple times.
Reporter | ||
Comment 1•6 years ago
|
||
*lets
Reporter | ||
Updated•6 years ago
|
Blocks: why-still-http
Comment 2•6 years ago
|
||
Thanks for pointing this out, I will address it when I have a moment.
Flags: needinfo?(wlachance)
Comment 3•6 years ago
|
||
Ok, readme and website updated. Thanks again for the report.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(wlachance)
Resolution: --- → FIXED
Reporter | ||
Comment 4•6 years ago
|
||
(In reply to William Lachance (:wlach) (use needinfo!) from comment #3) > Ok, readme and website updated. Thanks again for the report. Thanks! :) But this part is still a problem: The exe would be still downloaded via http://. > https://www.activestate.com/activepython/downloads > links to > https://www.activestate.com/activepython/downloads/thank-you?dl=http://downloads.activestate.com/ActivePython/releases/2.7.14.2717/ActivePython-2.7.14.2717-win64-x64-404905.exe > which let's me download > http://downloads.activestate.com/ActivePython/releases/2.7.14.2717/ActivePython-2.7.14.2717-win64-x64-404905.exe This is so cool: https://downloads.[...]/downloads/fu**-you?dl=http://downloads.[...].exe Could one of you contact them with your @mozilla.com address and also suggest https://hstspreload.org/?domain=activestate.com ? https://observatory.mozilla.org/analyze.html?host=activatestate.com should be also interesting for them. (They even redirect https://activestate.com back to http://www.activestate.com/.) Thanks. ;D
Comment 5•6 years ago
|
||
Hey, I doubt a message from me would be any more effective than one from you. Feel free to bring this to their attention, but I don't think there's anything more I can do here.
Comment 6•6 years ago
|
||
I'll get in touch with them. Thanks for letting me know.
Comment 7•6 years ago
|
||
Note that their download redirect checks to verify that the URL begins with https://downloads.activestate.com/, so you can't just set it to any arbitrary URL.
Reporter | ||
Comment 8•6 years ago
|
||
(In reply to April King [:April] from comment #6) > I'll get in touch with them. Thanks for letting me know. Did they reply? The download still happens via http://. Otherwise https://mozilla.github.io/mozregression/install.html could have a direct link to https://downloads.activestate.com/ActivePython/releases/2.7.14.2717/ActivePython-2.7.14.2717-win64-x64-404905.exe as a temporary solution. If this can't get fixed soon, we would have to reopen this bug because this blocks bug 1436695, I think.
Comment 9•6 years ago
|
||
I haven't yet heard back from them. For now I would directly link to the Python version: https://downloads.activestate.com/ActivePython/releases/2.7.14.2717/ActivePython-2.7.14.2717-win64-x64-404905.exe It seems to work just fine over HTTPS (which I pointed out to them). I'll let you know if I hear back from them. They don't have any obvious points of content, so it was just sending them messages on Twitter.
You need to log in
before you can comment on or make changes to this bug.
Description
•