Closed Bug 294640 Opened 20 years ago Closed 20 years ago

One bad RDF can block the whole FireFox Update mechanism

Categories

(Toolkit :: Application Update, defect)

Product:
Toolkit
Component:
Application Update
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: savino.lovergine, Assigned: robert.strong.bugs)

Details

Attachments

(1 file, 1 obsolete file)

screenshot of stall
14.14 KB, image/jpeg
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

FireFox Update doesn't work on my computer. The progress meter goes for a few
step, then blocks forever. The progress never finishes. I can't update at all.

One extension causes the problem. Uninstalling "Platypus 0.1" solves the
problem; or upgrading from "0.1" to "0.3" solves the problem.

So, what's the bug about "Platypus 0.1" ? I think it's because of the RDF file.
It contains this line: <em:updateURL>none</em:updateURL>
The "0.3" file contains:
<em:updateURL>http://platypus.mozdev.org/update.rdf</em:updateURL>

FireFox Update should be shielded against this kind of bug. Just an invalid URL
kills the whole thing.

It can even become a kind of severe security problem ! Someone can distribute
forged extensions (or themes) via a popular website; people who downloaded and
installed theses extensions won't be able to run the FireFox Update process
anymore. So they won't be able to update their FireFox and to protect themselves
by upgrading. How many people are already blocked because of "Platypus 0.1"
installed on their system ? (Many people will delete their entire profile or
uninstall the whole FireFox just to find why Update doesn't work anymore).

Thanks.

Reproducible: Always

Steps to Reproduce:
1. Install the extension "Platypus 0.1".
2. Restart FireFox.
3. Try to do FireFox Update.
Actual Results:  
FireFox update hangs and never finishes.

Expected Results:  
FireFox Update must progress and finish.
UA / Build: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8)
Gecko/20050511 Firefox/1.0.4

More abstract reproduction (On Windows NT 5.x):

1) Make sure at least 1 extension is installed.
2) Open C:\Documents and Settings\<user>\Application
Data\Mozilla\Firefox\Profiles\<profile>\extensions\Extensions.rdf in a texteditor
3) Locate the RDF:description node describing an extension and edit the value of
attribute em:updateURL to (for example) "none" or "invalid URL" (or insert the
attribute)
4. (Re-)start ff and do an update from Tools->Options->Advanced->Software Update
with the box to check for extensions checked.
5. The Software Update will never complete.

I can always reproduce above steps on both Windows NT 5.0 (en-US) and 5.1 (en-GB)
As it is a possible security flaw, it should be watched... Firefox's Software
Update is now weak. Attacks can be done.
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.5?
Attached image screenshot of stall 
I added a screenshot of the stalling update window (mainly to visualize the
window/functionality the bug affects)
Not a security problem, this can only happen after you've already installed the
extension. If you've done that and it's malicious you've got bigger problems
than a DOS from a bad URL.

Not blocking releases on the security branch, but worth fixing in 1.1,
especially since lots of changes are going into the update area.
Assignee: nobody → benjamin
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.0.5? → blocking-aviary1.0.5-
Attached patch simple patch (obsolete) — Splinter Review 
Assignee: benjamin → rob_strong
Status: NEW → ASSIGNED

        Attachment #186024 -
        Flags: review?(benjamin)

    
    

    
  
Comment on attachment 186024 [details] [diff] [review]
simple patch

I don't understand how this patch helps: don't we still block while we're
loading gRDF.GetDataSource?

    
    

    
  
The problem described by this bug is when an install.rdf specifies an updateURL
with an illegal value (e.g. no scheme etc.) - the example I used in my testing
was "none" as shown in comment #0. By wrapping it it won't fail due to the
illegal value and then it cleans up after itself.

I considered validating the value for updateURL but decided this was less code
and covers other possible failures validation might not provide.

    
    

    
  
Comment on attachment 186024 [details] [diff] [review]
simple patch

Ah ok, this is not the "update server is not available bug".

        Attachment #186024 -
        Flags: review?(benjamin) → review+

        Attachment #186024 -
        Flags: approval-aviary1.1a2?

    
  

        Attachment #186024 -
        Flags: approval-aviary1.1a2? → approval-aviary1.1a2+
Whiteboard: needs checkin
Whiteboard: needs checkin → [checkin needed]

    
    

    
  
Comment on attachment 186024 [details] [diff] [review]
simple patch

mozilla/toolkit/mozapps/extensions/src/nsExtensionManager.js.in 	1.120

        Attachment #186024 -
        Attachment is obsolete: true

    
  
Whiteboard: [checkin needed]
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

    
  
Flags: blocking-aviary1.1?
Product: Firefox → Toolkit

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: