Closed
Bug 294450
Opened 19 years ago
Closed 19 years ago
"Allowed Sites" for XPI checks linking site, not target
Categories
(Toolkit :: Add-ons Manager, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 358266
People
(Reporter: stephen.yeargin, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
When visiting http://geourl.org/news/2005/03/14/firefox_extension.html, I saw a
link to an extension I wanted. The link points on the page points to
http://www.splintered.co.uk/extensions/geourl_0.2.xpi, which resides on another
domain. After clicking the link, the dialog box popped up asking if I would like
to add "geourl.org" to my allowed sites list instead of splinterred.co.uk.
Adding GeoURL's site instead, I then re-clicked on the link. The extension
installed. I propose that, in theory, someone who has their site to allow
mozilla.org may be able to click on a comment or other non-moderated content to
access http://example.com/malware.xpi without ever being prompted that they are
leaving the host site, and heading off to an unknown server. Of course, one
could simply look at the taskbar, but software has to be written to the lowest
common denominator.
What if the comment for the GMail notifier said something like "This version is
old. Click [[here]] for the newest edition," linking off to an untrusted server.
I welcome your comments. - Stephen
Reproducible: Always
Steps to Reproduce:
1. Visit http://geourl.org/news/2005/03/14/firefox_extension.html
2. Click on the link in the center of the page. A dialog box asking you to
accept plugins from "geourl.org" will pop-up.
3. Add geourl.org to your list.
4. Click the link again.
Actual Results:
The plugin is ready to install from another site you did not approve.
No additional debugging data is available.
Comment 1•19 years ago
|
||
This is as-designed. We want people to install from trusted clearing-house like
sites which can reference other locations. The true location of the install
itself appears on the confirmation dialog, and users should weigh the actual
source along with the reputation accorded to the recommending site. This also
covers situations such as the site being https://addons.mozilla.org but the
content being on ftp://ftp.mozilla.org without having to whitelist *.mozilla.org
which would potentially open people to unsanitized content on
bugzilla.mozilla.org or other more forum-like mozilla.org sites.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Updated•19 years ago
|
Group: security
Comment 2•19 years ago
|
||
*** Bug 306000 has been marked as a duplicate of this bug. ***
Assignee | ||
Updated•16 years ago
|
Product: Firefox → Toolkit
Updated•13 years ago
|
Resolution: INVALID → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•