Closed Bug 294450 Opened 19 years ago Closed 19 years ago

"Allowed Sites" for XPI checks linking site, not target

Categories

(Toolkit :: Add-ons Manager, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 358266

People

(Reporter: stephen.yeargin, Unassigned)

References

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 When visiting http://geourl.org/news/2005/03/14/firefox_extension.html, I saw a link to an extension I wanted. The link points on the page points to http://www.splintered.co.uk/extensions/geourl_0.2.xpi, which resides on another domain. After clicking the link, the dialog box popped up asking if I would like to add "geourl.org" to my allowed sites list instead of splinterred.co.uk. Adding GeoURL's site instead, I then re-clicked on the link. The extension installed. I propose that, in theory, someone who has their site to allow mozilla.org may be able to click on a comment or other non-moderated content to access http://example.com/malware.xpi without ever being prompted that they are leaving the host site, and heading off to an unknown server. Of course, one could simply look at the taskbar, but software has to be written to the lowest common denominator. What if the comment for the GMail notifier said something like "This version is old. Click [[here]] for the newest edition," linking off to an untrusted server. I welcome your comments. - Stephen Reproducible: Always Steps to Reproduce: 1. Visit http://geourl.org/news/2005/03/14/firefox_extension.html 2. Click on the link in the center of the page. A dialog box asking you to accept plugins from "geourl.org" will pop-up. 3. Add geourl.org to your list. 4. Click the link again. Actual Results: The plugin is ready to install from another site you did not approve. No additional debugging data is available.
This is as-designed. We want people to install from trusted clearing-house like sites which can reference other locations. The true location of the install itself appears on the confirmation dialog, and users should weigh the actual source along with the reputation accorded to the recommending site. This also covers situations such as the site being https://addons.mozilla.org but the content being on ftp://ftp.mozilla.org without having to whitelist *.mozilla.org which would potentially open people to unsanitized content on bugzilla.mozilla.org or other more forum-like mozilla.org sites.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Group: security
*** Bug 306000 has been marked as a duplicate of this bug. ***
Product: Firefox → Toolkit
Resolution: INVALID → DUPLICATE
You need to log in before you can comment on or make changes to this bug.