Closed Bug 294450 Opened 20 years ago Closed 20 years ago

"Allowed Sites" for XPI checks linking site, not target

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 358266

People

(Reporter: stephen.yeargin, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

When visiting http://geourl.org/news/2005/03/14/firefox_extension.html, I saw a
link to an extension I wanted. The link points on the page points to
http://www.splintered.co.uk/extensions/geourl_0.2.xpi, which resides on another
domain. After clicking the link, the dialog box popped up asking if I would like
to add "geourl.org" to my allowed sites list instead of splinterred.co.uk. 

Adding GeoURL's site instead, I then re-clicked on the link. The extension
installed. I propose that, in theory, someone who has their site to allow
mozilla.org may be able to click on a comment or other non-moderated content to
access http://example.com/malware.xpi without ever being prompted that they are
leaving the host site, and heading off to an unknown server. Of course, one
could simply look at the taskbar, but software has to be written to the lowest
common denominator.

What if the comment for the GMail notifier said something like "This version is
old. Click [[here]] for the newest edition," linking off to an untrusted server.

I welcome your comments. - Stephen


Reproducible: Always

Steps to Reproduce:
1. Visit http://geourl.org/news/2005/03/14/firefox_extension.html
2. Click on the link in the center of the page. A dialog box asking you to
accept plugins from "geourl.org" will pop-up.
3. Add geourl.org to your list.
4. Click the link again.

Actual Results:  
The plugin is ready to install from another site you did not approve.


No additional debugging data is available.
This is as-designed. We want people to install from trusted clearing-house like
sites which can reference other locations. The true location of the install
itself appears on the confirmation dialog, and users should weigh the actual
source along with the reputation accorded to the recommending site. This also
covers situations such as the site being https://addons.mozilla.org but the
content being on ftp://ftp.mozilla.org without having to whitelist *.mozilla.org
which would potentially open people to unsanitized content on
bugzilla.mozilla.org or other more forum-like mozilla.org sites.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Group: security
*** Bug 306000 has been marked as a duplicate of this bug. ***
Product: Firefox → Toolkit
Resolution: INVALID → DUPLICATE
You need to log in before you can comment on or make changes to this bug.