Closed Bug 293330 Opened 16 years ago Closed 16 years ago

Remove XPI install delay without changing any about:config prefs

Categories

(Toolkit :: Add-ons Manager, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: matthew, Unassigned)

References

Details

(Keywords: fixed-aviary1.0.4, Whiteboard: [sg:fix] depends on 292499)

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.0.3-1.3.1 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.0.3-1.3.1 Firefox/1.0.3

My report to security@mozilla.org:

An attacker can "kill" the XPI delay on the installation dialog by providing a
javascript IconURL that throws an exception.  In the sample exploit, "alert" is
used as it doesn't exist on a chrome window and throws an exception.  The sample
exploit tricks the user into installing an XPI by making them press enter over
and over, then popping up the "no wait" dialog.  Without the delay, a user may
inadvertently install a malicious XPI. 

See attached testcase.

Reproducible: Always

Steps to Reproduce:
Confirming. Depends on bug 292499
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:fix] depends on 292499
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
javascript icons no longer allowed, so thrown exceptions won't mess up the delay
count.
Status: NEW → RESOLVED
Closed: 16 years ago
Depends on: 292499
Resolution: --- → FIXED
Group: security
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.