Closed Bug 406032 Opened 18 years ago Closed 18 years ago

Block update info urls that are not http/https

Categories

(Toolkit :: Add-ons Manager, defect, P3)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9beta2

People

(Reporter: mossop, Assigned: mossop)

Details

(Whiteboard: [sg:want])

Attachments

(1 file, 1 obsolete file)

patch rev 2
1.63 KB, patch
robert.strong.bugs
: review+
mtschrep
: approval1.9+
Details | Diff | Splinter Review
Currently we accept and use any update info url we are given. We should restrict them to http/https only. This should be a simple fix.
Flags: blocking-firefox3?
Assignee: nobody → dtownsend
Attached patch patch rev 1 (obsolete) — Splinter Review
This is the simple fix, just drop any updateInfoURL entries that are not http or https.
Attachment #290755 - Flags: review?(robert.bugzilla)
Status: NEW → ASSIGNED
Whiteboard: [has patch]
Comment on attachment 290755 [details] [diff] [review] patch rev 1 per discussion with Dave... only check the uri scheme when needed instead of every update check and create a uri and use the scheme property.
Attachment #290755 - Flags: review?(robert.bugzilla) → review-
Attached patch patch rev 2Splinter Review
Shifted the check across to the UI side, only actually check when we need to use the uri.
Attachment #290755 - Attachment is obsolete: true
Attachment #290929 - Flags: review?(robert.bugzilla)
Comment on attachment 290929 [details] [diff] [review] patch rev 2 r=me with declaring the vars where they are used
Attachment #290929 - Flags: review?(robert.bugzilla) → review+
Comment on attachment 290929 [details] [diff] [review] patch rev 2 This is a small change checking that the release notes are really coming from a web server.
Attachment #290929 - Flags: approval1.9?
Attachment #290929 - Flags: approval1.9? → approval1.9+
Checking in toolkit/mozapps/extensions/content/extensions.js; /cvsroot/mozilla/toolkit/mozapps/extensions/content/extensions.js,v <-- extensions.js new revision: 1.153; previous revision: 1.152 done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: [has patch]
Flags: blocking-firefox3? → blocking-firefox3+
Priority: -- → P3
Target Milestone: --- → Firefox 3 M10
Hi dave, do you have a testcase for this fix? Thanks.
is this worth fixing on the 1.8 branch?
Flags: wanted1.8.1.x?
Whiteboard: [sg:want]
(In reply to comment #7) > Hi dave, do you have a testcase for this fix? Thanks. I'll have to work something up after the holidays. (In reply to comment #8) > is this worth fixing on the 1.8 branch? The feature doesn't exist on the 1.8 branch so no.
Group: security
Flags: wanted1.8.1.x? → wanted1.8.1.x-
(In reply to comment #9) > (In reply to comment #7) > > Hi dave, do you have a testcase for this fix? Thanks. > > I'll have to work something up after the holidays. Hey Dave, revisiting this request for a testcase. Thanks.
(In reply to comment #10) > (In reply to comment #9) > > (In reply to comment #7) > > > Hi dave, do you have a testcase for this fix? Thanks. > > > > I'll have to work something up after the holidays. > > Hey Dave, revisiting this request for a testcase. Thanks. > Sorry, lost this. Install https://people.mozilla.com/~dtownsend/testcases/bug406032/test.xpi and restart, then do an update check. Clicking on show information should say it has none. The update info actually has a data url in it that is getting ignored.
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: