User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0 When Firefox searches for extension updates, he may download software from sites not listed in the whitelist without warning. We do not no how safe these sites are. One can thus imagine a malicious hacker that makes an intrusion on such a site to replace the extension or even just the software update download site that the extension provides. All further updates would then download malicious software if not aldready done. NB: indeed I found myself upgrading Tab Browser Preferences from the supposed author site and then had my Firefox work very bad. I had to uninstall and re-install from the official Mozilla site so now I take care of upgrading from the official extension site only. NB2: I didn't find any bug report about this topic, so I hope this no duplicate! Reproducible: Always Steps to Reproduce: 1. install extensions from the Mozilla site (e.g. Tab Browser Preferences) and restart 2. make Firefox search for extension updates 3. agree to update Actual Results: software updates are installed without warning about the fact that the download site does not belong to the list of trusted extension sites Expected Results: Firefox should warn and discourage to use such sites
We are updating the update.mozilla.org hosting policy and one of the requirements will be that extensions we host must only update from our site. Authors will of course be free to host versions elsewhere that update from where they like (for example, development versions might update from the developers own site). This may be a dupe but I couldn't find it. Possibly it only exists on the in-progress policy document in which case this bug is a useful reminder.
Assignee: bugs → Bugzilla-alanjstrBugs
Status: UNCONFIRMED → NEW
Component: Software Update → Administration
Ever confirmed: true
Product: Firefox → Update
QA Contact: bugs → mozilla.update
Summary: Extension updates are searched on sites outside from the whitelist → Require UMO-hosted extensions must update only from UMO
Still waiting on the policy doc. Setting it to block this bug. The code will go somewhere around http://lxr.mozilla.org/update1.0/source/developers/additem.php#88
Depends on: 245198
Target Milestone: --- → 1.1
The extension update url should not be overwritten until UMO can get it's review turnaround down. It's 1 week+ at the moment and getting worse. It it's not closer to 24 hours, overwriting the update url will be a hindrance to extension authors who want to get security fixes out quickly.
While this makes sense from a security standpoint, this will be a pain in the ass for extension authors. I for one don't use UMO's update functionallity for a few different reasons 1) Review turn around as mentioned in comment #3 2) States, I like to know how many users are indeed upgrading, as this reflects what kind of backwards compatibility my extensions should offer, and who I'm tailoring to. 3) UMO instability, if UMO ever goes down or defunct (has happened in the past), all my end users will be stuck.
(In reply to comment #4) > While this makes sense from a security standpoint, this will be a pain in the > ass for extension authors. I reckon security is more important here. 1) Turnaround has improved greatly. 2) UMO could provide statistics to developers on this. 3) As mozilla and umo grow I doubt this will be acceptable in future.
Created attachment 194506 [details] [diff] [review] Make sure updateURL is not present
Summary: Require UMO-hosted extensions must update only from UMO → [Submission] Require UMO-hosted extensions must update only from UMO
(In reply to comment #4) > While this makes sense from a security standpoint, this will be a pain in the > ass for extension authors. To me security issues are much much more important than extension developer comfort! Developers should all be aware of all kind of security issues and understand why they cannot do whatever they want or would like to. If they really want to keep working for the community they *must* adopt a safe and professional behaviour. Perhaps some tools are missing but I must say I really don't like the idea that UMO downloaded extensions could update from anywhere else even in case of critical bugs. Who could have had enough time to check the patched code? I would rather prefer a kind of alert message that encourages users to disable extensions or force disabling them while the code gets patched. There are a lot of people waiting for Mozilla and its community to make mistakes, please don't give them opportunities... It's so good job!
This has been drafted here http://wiki.mozilla.org/Update:Requirements/LegalAndReview Currently some reviewers are denying addons with external updateurls, but it should be coded into the site so it automatically checks install.rdf when a developer uploads the addon Upping severity as this is a major security issue and I agree with Jean-Michel (comment #7) > (...) There are a lot > of people waiting for Mozilla and its community to make mistakes, please don't > give them opportunities...
Severity: normal → major
morgamic - Now that we're enforcing this rule, we really need to automate it.
Assignee: Bugzilla-alanjstrBugs → morgamic
Target Milestone: 2.0 → 1.1
Picking this back up.
Status: NEW → ASSIGNED
Severity: major → critical
Priority: -- → P1
Created attachment 208163 [details] [diff] [review] check for updateURL -- didn't know there was already a patch here
Comment on attachment 208163 [details] [diff] [review] check for updateURL -- didn't know there was already a patch here I'll be adventerous and commit this. It's simple enough.
Attachment #208163 - Flags: first-review+
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Thank you very much sir. http://forums.mozillazine.org/viewtopic.php?p=2010399
Just changing the summary because I'm really tired of searching for the old one.
Summary: [Submission] Require UMO-hosted extensions must update only from UMO → Addons can no longer have an external updateUrl
Summary: Addons can no longer have an external updateUrl → Addons should not be allowed to have an external updateUrl
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.