Addons should not be allowed to have an external updateUrl

RESOLVED FIXED in 1.1

Status

P1
critical
RESOLVED FIXED
14 years ago
3 years ago

People

(Reporter: jean-michel.philippe, Assigned: morgamic)

Tracking

unspecified

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0

When Firefox searches for extension updates, he may download software from sites
not listed in the whitelist without warning. We do not no how safe these sites
are. One can thus imagine a malicious hacker that makes an intrusion on such a
site to replace the extension or even just the software update download site
that the extension provides. All further updates would then download malicious
software if not aldready done.

NB: indeed I found myself upgrading Tab Browser Preferences from the supposed
author site and then had my Firefox work very bad. I had to uninstall and
re-install from the official Mozilla site so now I take care of upgrading from
the official extension site only.

NB2: I didn't find any bug report about this topic, so I hope this no duplicate!

Reproducible: Always

Steps to Reproduce:
1. install extensions from the Mozilla site (e.g. Tab Browser Preferences) and
restart
2. make Firefox search for extension updates
3. agree to update
Actual Results:  
software updates are installed without warning about the fact that the download
site does not belong to the list of trusted extension sites

Expected Results:  
Firefox should warn and discourage to use such sites
We are updating the update.mozilla.org hosting policy and one of the
requirements will be that extensions we host must only update from our site.
Authors will of course be free to host versions elsewhere that update from where
they like (for example, development versions might update from the developers
own site).

This may be a dupe but I couldn't find it. Possibly it only exists on the
in-progress policy document in which case this bug is a useful reminder.
Assignee: bugs → Bugzilla-alanjstrBugs
Status: UNCONFIRMED → NEW
Component: Software Update → Administration
Ever confirmed: true
Product: Firefox → Update
QA Contact: bugs → mozilla.update
Summary: Extension updates are searched on sites outside from the whitelist → Require UMO-hosted extensions must update only from UMO

Comment 2

14 years ago
Still waiting on the policy doc.  Setting it to block this bug.  The code will
go somewhere around
http://lxr.mozilla.org/update1.0/source/developers/additem.php#88
Depends on: 245198
Target Milestone: --- → 1.1

Updated

14 years ago
Target Milestone: 1.1 → 2.0

Comment 3

13 years ago
The extension update url should not be overwritten until UMO can get it's review
turnaround down.  It's 1 week+ at the moment and getting worse.  It it's not
closer to 24 hours, overwriting the update url will be a hindrance to extension
authors who want to get security fixes out quickly.

Comment 4

13 years ago
While this makes sense from a security standpoint, this will be a pain in the
ass for extension authors.

I for one don't use UMO's update functionallity for a few different reasons
1) Review turn around as mentioned in comment #3
2) States, I like to know how many users are indeed upgrading, as this reflects
what kind of backwards compatibility my extensions should offer, and who I'm
tailoring to.
3) UMO instability, if UMO ever goes down or defunct (has happened in the past),
all my end users will be stuck.

Comment 5

13 years ago
(In reply to comment #4)
> While this makes sense from a security standpoint, this will be a pain in the
> ass for extension authors.

I reckon security is more important here. 
1) Turnaround has improved greatly.
2) UMO could provide statistics to developers on this.
3) As mozilla and umo grow I doubt this will be acceptable in future.

Comment 6

13 years ago
Created attachment 194506 [details] [diff] [review]
Make sure updateURL is not present
Attachment #194506 - Flags: first-review?(cst)

Updated

13 years ago
Summary: Require UMO-hosted extensions must update only from UMO → [Submission] Require UMO-hosted extensions must update only from UMO
(Reporter)

Comment 7

13 years ago
(In reply to comment #4)
> While this makes sense from a security standpoint, this will be a pain in the
> ass for extension authors.

To me security issues are much much more important than extension developer
comfort! Developers should all be aware of all kind of security issues and
understand why they cannot do whatever they want or would like to. If they
really want to keep working for the community they *must* adopt a safe and
professional behaviour.
Perhaps some tools are missing but I must say I really don't like the idea that
UMO downloaded extensions could update from anywhere else even in case of
critical bugs. Who could have had enough time to check the patched code? I would
rather prefer a kind of alert message that encourages users to disable
extensions or force disabling them while the code gets patched. There are a lot
of people waiting for Mozilla and its community to make mistakes, please don't
give them opportunities... It's so good job!

Comment 8

13 years ago
This has been drafted here http://wiki.mozilla.org/Update:Requirements/LegalAndReview

Currently some reviewers are denying addons with external updateurls, but it should be coded into the site so it automatically checks install.rdf when a developer uploads the addon

Upping severity as this is a major security issue and I agree with Jean-Michel
(comment #7)
> (...) There are a lot
> of people waiting for Mozilla and its community to make mistakes, please don't
> give them opportunities... 

Severity: normal → major

Comment 9

13 years ago
morgamic -

Now that we're enforcing this rule, we really need to automate it.  
Assignee: Bugzilla-alanjstrBugs → morgamic
Target Milestone: 2.0 → 1.1
(Assignee)

Comment 10

13 years ago
Picking this back up.
Status: NEW → ASSIGNED
(Assignee)

Updated

13 years ago
Severity: major → critical
Priority: -- → P1
(Assignee)

Comment 11

13 years ago
Created attachment 208163 [details] [diff] [review]
check for updateURL -- didn't know there was already a patch here
Attachment #194506 - Attachment is obsolete: true
Attachment #194506 - Flags: first-review?(cst)
(Assignee)

Comment 12

13 years ago
Comment on attachment 208163 [details] [diff] [review]
check for updateURL -- didn't know there was already a patch here

I'll be adventerous and commit this.  It's simple enough.
Attachment #208163 - Flags: first-review+
(Assignee)

Updated

13 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
(Assignee)

Comment 14

13 years ago
Just changing the summary because I'm really tired of searching for the old one.
Summary: [Submission] Require UMO-hosted extensions must update only from UMO → Addons can no longer have an external updateUrl
(Assignee)

Updated

13 years ago
Summary: Addons can no longer have an external updateUrl → Addons should not be allowed to have an external updateUrl
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.