Add-ons can still be sideloaded in the installation directory in FX74/FX75
Categories
(Toolkit :: Add-ons Manager, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox73 | --- | unaffected |
| firefox74 | + | verified |
| firefox75 | --- | verified |
People
(Reporter: alexandru.cornestean, Assigned: mixedpuppy)
References
(Blocks 1 open bug)
Details
Attachments
(2 files)
|
117.71 KB,
image/png
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
installation directory sideload.png
[Affected versions]:
- Firefox 74.0b5/20200218224219
- Firefox 75.0a1/20200218213359
[Affected platforms]: - Windows 10 Pro 64-bit
- macOS Catalina 10.15
- Ubuntu 16.04 LTS
- Copy the add-on in the browser’s installation directory, under “browser” → “extensions”.
- The “extensions” folder must be created if non existent.
macOS:
- Copy the add-on in the browser’s installation directory, under “Contents”→”Resources”→”browser”→”extensions”.
- The “extensions” folder must be created if non existent.
- To access the above path, go to the location of the Firefox executable, right click it and in the displayed menu, select “Show package Contents”.
Ubuntu:
- Copy the add-on in the browser’s installation directory, under “browser” → “extensions”.
- The “extensions” folder must be created if non existent.
[Steps to reproduce]:
- Launch the browser
- Access the Add-ons Manager page (type about:addons in the URL bar)
- Go to the Extensions tab
- Notice that the previously sideloaded add-on is installed and disabled
- Click on the three-dot menu on the add-on’s card
- Observe that the “Remove” option is not available, instead the “Can’t Be Removed Why?” option is present
[Description]:
Add-ons can still be sideloaded in the installation directory of the browser in FX74/FX75, with no option to remove them afterwards from Add-ons Manager.
[Expected results]:
Sideloading add-ons in the installation directory should no longer be possible as of FX74/FX75. Only profile sideloads should be allowed.
[Actual results]:
Add-ons can still be sideloaded in the installation directory in FX74/FX75 and cannot be removed via Add-ons Manager.
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 1•5 years ago
|
||
Andrew, are you aware of any reason we allowed sideloads inside the application directory like this? I'm inclined to not only prevent that, but to automatically remove any addon sideloaded this way.
|
||
Comment 2•5 years ago
|
||
(In reply to Shane Caraveo (:mixedpuppy) from comment #1)
Andrew, are you aware of any reason we allowed sideloads inside the application directory like this? I'm inclined to not only prevent that, but to automatically remove any addon sideloaded this way.
I think the answer is simply that before the recent restrictions on sideloading were introduced, there was no reason to put restrictions on this location since it was much easier to sideload into other locations.
I'm not sure what this location is used for these days, its not used by regular Firefox. For other potential users we have distribution addons, the built-in location, system addons, etc., all of which could serve the same purpose. Maybe this location could be retired?
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 4•5 years ago
|
||
We have telemetry that shows it is not uncommon to use this directory for lang packs. So rather than retire it, just avoid future sideloading into it for our official release.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 6•5 years ago
|
||
|
|
Assignee | |
Comment 7•5 years ago
|
||
|
|
Assignee | |
Comment 9•5 years ago
|
||
Alex, this should land on central soon. If you can verify nightly, I'll put in an uplift request.
Thanks!
|
||
Comment 10•5 years ago
|
||
| bugherder | ||
|
||
Updated•5 years ago
|
|
Reporter | |
Comment 11•5 years ago
|
||
Hey Shane!
I verified the fix on the latest Nightly (75.0a1/20200225094028) under Windows 10 Pro 64-bit, macOS Catalina 10.15 and Ubuntu 16.04 LTS.
As it currently stands, the installation directory sideload location is now blocked. No add-on installation occurs from there anymore.
Any add-on installed from that location prior to this build can now also be properly removed via add-ons manager after updating to the latest Nightly version.
I believe you can request the uplift now.
Thanks!
|
|
Assignee | |
Comment 12•5 years ago
|
||
Comment on attachment 9128211 [details]
Bug 1616545 prevent sideloading in application install directory
Beta/Release Uplift Approval Request
- User impact if declined: Sideloaded addons are possible in the application install directory.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: QE should probably reverify on beta, they have a test plan already.
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It is only changing the default value of a constant used to decide what locations are allowed to sideload.
- String changes made/needed: none
|
|
Assignee | |
Updated•5 years ago
|
|
|
||
Comment 13•5 years ago
|
||
Comment on attachment 9128211 [details]
Bug 1616545 prevent sideloading in application install directory
P1 and the bug caused a yellow sign off for the feature, uplift approved for 74.0b8, thanks.
|
||
Comment 14•5 years ago
|
||
| bugherder uplift | ||
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 15•5 years ago
|
||
Verified the fix on the latest Beta (74.0b8/20200226031638) under Windows 10 Pro 64-bit, macOS Catalina 10.15 and Ubuntu 16.04 LTS.
The installation directory sideload location is blocked, no add-on installation occurs from there anymore.
Furthermore, any add-on installed from that location prior to this can be properly removed via add-ons manager after updating to the latest version.
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
Description
•