Missing check before merging stored optional ExtensionPermissions with active permissions
Categories
(WebExtensions :: General, defect, P2)
Tracking
(Not tracked)
People
(Reporter: robwu, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [addons-jira])
ExtensionPermissions.jsm provides the backend to save optional extension permissions after granting them.
When an extension is installed (or started after a browser upgrade), the permissions are read from the backend, but without verifying that the extension is supposed to have the permission, at https://searchfox.org/mozilla-central/rev/86c98c486f03b598d0f80356b69163fd400ec8aa/toolkit/components/extensions/Extension.jsm#1251-1258.
This is a problem, because the storage of ExtensionPermissions could contain items that are not supposed to be part of the extension. Examples:
- In the past, bug 1522918 did not remove permissions upon uninstall.
- Bug 1766913, due to missing checks of
permissions.request() - Removed optional permissions aren't removed from the storage when an item is removed from
optional_permissions(orhost_permissions?) - https://searchfox.org/mozilla-central/rev/86c98c486f03b598d0f80356b69163fd400ec8aa/toolkit/components/extensions/Extension.jsm#974-978 - The storage could have been modified externally.
In short, there can be multiple reasons for ExtensionPermissions to contain too many values, so we should filter the retrieved permissions before use (cross-check whether it's part of the manifest).
|
||
Updated•4 years ago
|
|
||
Updated•3 years ago
|
|
Reporter | |
Comment 1•1 year ago
|
||
Adding another scenario from bug 1902011 (https://bugzilla.mozilla.org/show_bug.cgi?id=1902011#c2):
- If an add-on is uninstalled very close to extension startup, and the asynchronously added permission application process is still pending, then the permissions won't be removed. These permissions can then be reused.
- in bug 1902011, the issue was even worse; two seemingly independent extensions shared the same extension ID, because the generated extension ID for a zip file without embedded extension ID is derived from the file path (and a random value that is constant during the session). Consequently a completely different extension can receive permissions for an unrelated extension.
This is particularly a problem for manifest version 3 extensions, because the logic there triggers more frequently due to bug 1889402.
Description
•