Closed Bug 299479 Opened 19 years ago Closed 18 years ago

Missing version number validation leads potential path traversal and other troubles

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Developer Pages
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ma1, Assigned: fligtar)

References

(
URL
)

Details

(Whiteboard: verify that this is no longer a threat, then resolve)

Attachments

(2 obsolete files) 

We don't validate version numbers extracted from extension manifest.
We use that number to form a file name: using meta characters in version number
can lead to weird (or dangerous) results.
This is not as severe as bug #298756, because patch of that bug (attachment
#187287 [details] [diff]) prevents uploading of files that are not xpi nor jars.
Nevertheless, there's potential for directory traversal which may be exploited
e.g. to overwrite already approval extensions skipping review.
Attached patch Version number validation (obsolete) β€” β€” Splinter Review 

  

  



        Attachment #188056 -
        Flags: first-review?(cst)

    
    

    
  
Comment on attachment 188056 [details] [diff] [review]
Version number validation

I'd like it if the die message told the user how to make the version number
valid.

r=cst

  

  



        Attachment #188056 -
        Flags: first-review?(cst) → first-review+

    
    

    
  
(In reply to comment #2)
> (From update of attachment 188056 [details] [diff] [review] [edit])
> I'd like it if the die message told the user how to make the version number
> valid.

I wouldn't, because I don't trust an extension developer which doesn't read the
relevant documentation and know how a version number should be ;)


  

  



    
    

    
  


  

  

  



        Attachment #188056 -
        Attachment is obsolete: true

        Attachment #188295 -
        Flags: first-review?(mconnor)
Group: webtools-security → update-security

    
    

    
  
how did it end?

  

  


Status: NEW → ASSIGNED

    
    

    
  
Isn't this fixed?

  

  



    
    

    
  
Comment on attachment 188295 [details] [diff] [review]
Better indentation + link to reference doc

man, I could bitch about style, but its AMO 1.0, style is irrelevant here.

  

  



        Attachment #188295 -
        Flags: first-review?(mconnor) → first-review+

    
    

    
  
Comment on attachment 188295 [details] [diff] [review]
Better indentation + link to reference doc

This patch is no longer valid, this section of code was rewritten.

  

  



        Attachment #188295 -
        Attachment is obsolete: true
Assignee: g.maone → nobody
Status: ASSIGNED → NEW
Whiteboard: verify that this is no longer a threat, then resolve
Target Milestone: 1.0 → 2.0

    
  
Assignee: nobody → fligtar
Depends on: remora-dev
OS: Windows XP → All
Target Milestone: 2.0 → 3.0

    
    

    
  
The regex and link in the patch have been added in Remora.

  

  


Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard

    
    

    
  
I think that this should be made public by now.

  

  


Flags: needinfo?(amuntner)
Group: client-services-security
Flags: needinfo?(amuntner)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: