Ability to get around the exception list for web sites allowed to install software




14 years ago
12 years ago


(Reporter: artooro, Assigned: dveditz)


Firefox Tracking Flags

(Not tracked)





14 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050422 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050422 Firefox/1.0+

I found a way to get around the list of exceptions for web sites allowed to
install software.
See the url above.

Basically I have a PHP script like this:

$file = file_get_contents($_GET['file']);
$mime = 'application/x-xpinstall';
header("Content-Type: $mime");
echo $file;

Reproducible: Always

Steps to Reproduce:
1. Go to the test url

Actual Results:  
It won't be blocked but the confirmation dialog will come up.

Expected Results:  
You would expect the regular "To protect your computer, Browser prevented this
site from installing software..."

I'm marking this as a security bug just in case. Better safe than sorry.
Clicking the link on this bug made the warning come up for me. Does it not for
you? Where did you click the link originally when you were testing?

Comment 2

14 years ago
"It won't be blocked but the confirmation dialog will come up."

When I go to the link the confirmation dialog appears asking whether or not I
really want to install this software because it could be malicious.

The only this bug does is circumvent the white list. Whether or not that is
really bad or not I don't know.
My Firefox 1.0.3 (Mandrake Linux 10.0) gave me the yellow bar, as I would expect
for a site not on the whitelist.

I did *not* get the bar, but that's because I had whitelisted bugzilla (not a
great idea, but I know what I'm doing). If I take bugzilla out of my whitelist I
get the infobar.

Where the link is doesn't matter, what matters is the page from which you launch
the install. We don't want a malicious site pestering you to install legit stuff
from ftp.mozilla.org, for example, and if you trust a particular blogger and
want to whitelist them there's no reason to block their links no matter where
the xpi is -- you're trusting the recommendation, you probably know nothing more
about the source than that.

So... what page contained the above link that managed to get around the
whitelist? If you mean the link in bugzilla above, have you whitelisted
bugzilla.mozilla.org or mozilla.org ?

Comment 5

14 years ago
/Feeling kind of crazy right now./

This is not a bug or problem after all. Because I had simply typed the url in
the location bar and then pressed enter. I never actually clicked on a link to
get to the url.

No wonder the whitelist had no effect.

Sorry about wasting your time.
The code in question seems to be in nsInstallTrigger::HandleContent, which makes
decisions based on the referrer:
Typing a xpi link directly into the URL bar (or from a bookmark) is intended to
bypass the whitelist -- it's assumed the user really meant it, and if not then
they'll get a chance to cancel on the confirmation dialog.
Group: security
Last Resolved: 14 years ago
Resolution: --- → INVALID

Comment 8

12 years ago
Daniel, is that always a good idea? Opening xpi links in tabs bypasses the whitelist (you just have to press enter on the new tab addressbar). Couldn't the user do that accidentally?
You need to log in before you can comment on or make changes to this bug.