Closed Bug 294975 Opened 20 years ago Closed 20 years ago

"Force-an-update" auto-redirects trash all links

Categories

(addons.mozilla.org Graveyard :: Plugins, defect)

Product:
addons.mozilla.org Graveyard
Component:
Plugins
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED WONTFIX

People

(Reporter: nwillis, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

I subscribe to the Update RSS feed, to learn about new extensions etc as they
are released.  Recently every link I click on in order to read the associated
article gets redirected to the "You must update to the most recent version of
Firefox" page.  This is annoying as hell.

And it is bad behavior: that behavior might make sense for redirecting attempts
to *install* an update, but as it is currently implemented it prevents all users
from even *reading* a moreinfo link.  Thus making the RSS feed useless.

To make matters worse, I can access all these pages correctly if using a
NON-firefox browser.  I've tried it with Opera and Epiphany.  It is redirectly
only Firefox users based on their reported version.

Reproducible: Always

Steps to Reproduce:
1.  Click on a link to an addons.mozilla.org URL (ie,
http://addons.mozilla.org/extensions/moreinfo.php?id=748&vid=2892)
Actual Results:  
Page returned is "Latest Upgrade of Firefox now available" --
http://www.mozilla.org/products/firefox/upgrade/?id=748&vid=2892

Expected Results:  
Displayed the page linked to.
Nate, the message appears because you are using an outdated Firefox browser. 
There were security issues with 1.0.2 and 1.0.3 so the update.mozilla.org site
is encouraging people to upgrade to 1.0.4 by requiring Firefox visitors to upgrade.
Yes that's perfectly clear.  So what?  

Which version of the browser I am using should not determine whether or not I am
shown the contents of the page; that's the bug!  

Altering what is returned based on the version of the browser used to access the
page makes sense when the URI is an XPI install -- it does *not* when the page
contents are just HTML.

Not all users can upgrade at will; most Linux users are at the mercy of their
distribution to push updated packages to them.  In the meantime, what -- tell
them tough luck, you can just wonder what the announcement regarding this
extension was?

What if the announcement alerted the extension's users to an even more serious
security hole than the bug in their old version of Firefox?  Isn't that worse? 
Don't they have the right to know?  Why should you keep that information from
them based on the version of Firefox they happen to access the page with at the
moment?

What if I tried to read the page on a PC that I don't have system privileges on
(work) and this behavior prevents me from reading about a serious problem that
affects a machine that *do* have system privileges on (home)??

In any case, the Mozilla web server should not prevent a user from viewing
harmless (ie, HTML) content for an irrelevant reason.  Or for any reason at all,
actually.

This is bad, user-hostile behavior.  It may have had a good intention behind it,
but the unintended consequences are bad.
Nate

(In reply to comment #1)
> Nate, the message appears because you are using an outdated Firefox browser. 
> There were security issues with 1.0.2 and 1.0.3 so the update.mozilla.org site
> is encouraging people to upgrade to 1.0.4 by requiring Firefox visitors to
upgrade.
This is on purpose.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
(In reply to comment #3)
> This is on purpose.

It's still WRONG.

If you want to put a message on the page that informs the user that they need to
upgrade, fine; that would be logical.  But deleting all page content is not, and
impairing users who CAN'T upgrade their installs is ludicrous.

Have you forgotten the hell that "Please Use Internet Explorer version 4.0 or
above" created for all alternative browsers?  Now Mozilla is *doing* this
itself?  That's shameful in addition to being wrong.
Status: RESOLVED → UNCONFIRMED
Resolution: WONTFIX → ---
To copy what justdave said on another bug, somewhere else:

"We have never blocked old versions from the addons site before.  We have no
choice this time.  The severity of the security vulnerability in question
demands it.  If you can get content from a site in Firefox's extension install
whitelist loaded in an IFRAME, you can execute arbitrary code on the user's
computer.  That's serious.  It would be irresponsible of us NOT to block
vulnerable clients from getting content from that site, since it's included in
the default whitelist that ships with Firefox."

I can't see this being changed, as even being able to load ANY page of the site
opens up the problem.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → WONTFIX
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.