Closed
Bug 375398
Opened 19 years ago
Closed 19 years ago
Files of nominated add-ons are public
Categories
(addons.mozilla.org Graveyard :: Admin/Editor Tools, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: aryx, Assigned: fligtar)
References
()
Details
1. Go to an extension in the nomination queue (example: https://addons.mozilla.org/de/firefox/editors/review/30574 )
2. Copy the file url ( https://addons.mozilla.org/de/firefox/downloads/file/13777/linkto-1.0-firefox.xpi ).
3. Log out or start a second Firefox session with -no-remote.
4. Paste file url into address bar and press enter.
5. See the install box prompting for input.
Result: Someone who could create a malicious extension and brand it as a boring one, requiring special external software for the add-on, could nominate it for public and it would stay for ages in the nomination queue, but he would be able to use the file url to point people to his untested / unapproved add-on and their Firefox will directly prompt for install because addons.mozilla.org is on the extension install whitelist.
|
||
Comment 1•19 years ago
|
||
(In reply to comment #0)
> Result: Someone who could create a malicious extension and brand it as a boring
> one, requiring special external software for the add-on, could nominate it for
> public and it would stay for ages in the nomination queue, but he would be able
> to use the file url to point people to his untested / unapproved add-on and
> their Firefox will directly prompt for install because addons.mozilla.org is on
> the extension install whitelist.
The user would have to directly enter the URL, rather than just click it, because it's the page that has the clicked link, not the site that's the _target_ of the link, that matters.
Copying sancus here so he can see the bug, not sure if that file is in fact public or not.
|
Reporter | |
Comment 2•19 years ago
|
||
Ah, I remember. So forget what I wrote about the whitelist. The files are accessible from the clean profile without being logged in.
|
Assignee | |
Updated•19 years ago
|
Assignee: nobody → fligtar
|
|
Assignee | |
Comment 3•19 years ago
|
||
Fixed in r3011.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•19 years ago
|
Group: update-security
Status: RESOLVED → VERIFIED
|
||
Updated•10 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•