Please grep within all extensions' chrome.manifest files for lines beginning with "contents" and not containing the string "jar:", e.g. grep "^content" */chrome.manifest | grep -v "jar:"
FYI, there was a a vulnerability in Firefox posted on Full Disclosure and others that allows directory traversal on machines that have Firefox extensions installed which utilize flat directory structure instead of .jar archives: http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/
It's been a long time since we got an updated copy of the addons on remora. Can we get ftp.mozilla.org/pub/addons/ rsync'd to khan-vm:/data/remora-files/ please? (On a cron job would be awesome, but once will get this bug resolved.)
rsync running right now...
(In reply to comment #3) > rsync running right now... > Once it's done, I'll take the bug.
Created attachment 298600 [details] grep -r -l --include=chrome.manifest -e "^content" * | grep -v "jar:" Total of 3010 addons. After all .xpi's and .jar's were extracted, there are 1441 hits off of a total of 1523 chrome.manifest files. I had to change the command you gave me, so make sure it's what you wanted: grep -r -l --include=chrome.manifest -e "^content" * | grep -v "jar:" The output is attached. Format is: addonid/filename.extracted/*
There's something wrong with the data: I have several of those add-ons and they appear to be jar'd. Of the un-jar'd ones I have, Intuit's Thumbstrips does not appear on the list and should (addon 5045) Several appear on the list that appear to use jars in my local copy and shouldn't be on the list. For most it looks like one of several old versions isn't jar'd while the latest one I've got installed is. That makes the size of the list overly alarming -- hard to pick out the real vulnerabilities if everything is listed. In two cases cases the version numbers seem to correspond with what I have so I'm stumped. Shouldn't be on list? firebug (1.05 on list, my copy is jar'd) useragent switcher (0.6.10 on list, my copy is jar'd) On list due to old version: fotofox (1.0.9 on list, installed 18.104.22.168 is Jar'd) Link Widgets (2933) (1.3 on list, installed 1.5 is jar'd) Tabs Open Relative (1956) (0.1 on list, installed 0.3 is jar'd) Zotero (1.0.0b2 on list, installed 1.0.1 is jar'd) Image Zoom (0.2 on list, installed 0.3 is jar'd) Linkification (1.3.2 on list, installed 1.3.3 is jar'd) Flashblock (1.5.3 on list, installed 1.5.5 is jar'd) Operator (0.6.2 on list, installed 0.8 is jar'd) Together with Foxkeh (0.1.6.1 on list, installed 0.1.6.2 is jar'd) InspectThis (0.2.9 on list, installed 0.3 is jar'd) Web Developer Toolbar (1.1.3 on list, installed 1.1.4 is jar'd) AdBlock-Plus (0.7.5 on list, installed 0.7.5.3 is jar'd) TorButton (1.0.1 on list, installed 1.0.4.01 is jar'd) That means most of the extensions I have are on the list, while I'm actually only vulnerable from 1/4 of my extensions.
Created attachment 298893 [details] grep -r --include=chrome.manifest -e "^content" * | grep -v "jar:" The -l on the first grep was making the second grep useless. As far as versions go, I'm not sure how I can guarantee the latest version with just the files. They all got rsync'd with the same date/time so I'm just grabbing the last file from an `ls` which isn't guaranteed to be the latest. mrz: does the source have the correct timestamps, and if so, can you re-rsync preserving them? In the mean time, here is a new list with the greps working together. Only 601 hits this time.
I ran: rsync -av /mnt/netapp/addons.mozilla.org-remora/files khan-vm:/data/remora-files/ which should have preserved timestamps. Ran it again just now too.
The timestamps on the files now match up to the real timestamps. It looks like something touches the files, because a lot of them have a modified date of today.
Created attachment 300181 [details] Cleaned-up list of "flat" addons Cleaned up the list of "flat" add-ons a bit.
(In reply to comment #12) > Created an attachment (id=300181) [details] > Cleaned-up list of "flat" addons > > Cleaned up the list of "flat" add-ons a bit. > Are are all of these extensions you've listed on AMO? I've got a number of extensions I've gotten elsewhere (e.g. Mahalo follow). I only manged to have two of the 600+ you have on your list (I have 78 total).