Grep Addons for packages not using .jar

RESOLVED FIXED

Status

addons.mozilla.org Graveyard
Administration
--
critical
RESOLVED FIXED
10 years ago
a year ago

People

(Reporter: bsterne, Assigned: clouserw)

Tracking

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

10 years ago
Please grep within all extensions' chrome.manifest files for lines beginning with "contents" and not containing the string "jar:", e.g.

grep "^content" */chrome.manifest | grep -v "jar:"
(Reporter)

Comment 1

10 years ago
FYI, there was a a vulnerability in Firefox posted on Full Disclosure and others that allows directory traversal on machines that have Firefox extensions installed which utilize flat directory structure instead of .jar archives:

http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/

Updated

10 years ago
Severity: blocker → critical
(Assignee)

Comment 2

10 years ago
It's been a long time since we got an updated copy of the addons on remora.  Can we get ftp.mozilla.org/pub/addons/ rsync'd to khan-vm:/data/remora-files/ please?  (On a cron job would be awesome, but once will get this bug resolved.)

Updated

10 years ago
Assignee: server-ops → nobody
Group: infra
Component: Server Operations → Add-ons
Product: mozilla.org → addons.mozilla.org
QA Contact: justin → add-ons
Version: other → unspecified

Comment 3

10 years ago
rsync running right now...
(Assignee)

Comment 4

10 years ago
(In reply to comment #3)
> rsync running right now...
> 

Once it's done, I'll take the bug.

Comment 5

10 years ago
done
(Assignee)

Updated

10 years ago
Assignee: nobody → clouserw
(Assignee)

Comment 6

10 years ago
Created attachment 298600 [details]
grep -r -l --include=chrome.manifest -e "^content" * | grep -v "jar:"

Total of 3010 addons.  After all .xpi's and .jar's were extracted, there are 1441 hits off of a total of 1523 chrome.manifest files.  I had to change the command you gave me, so make sure it's what you wanted:

  grep -r -l --include=chrome.manifest -e "^content" * | grep -v "jar:"

The output is attached.  Format is:

  addonid/filename.extracted/*
Group: update-security
(Assignee)

Updated

10 years ago
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
There's something wrong with the data: I have several of those add-ons and they appear to be jar'd.

Of the un-jar'd ones I have, Intuit's Thumbstrips does not appear on the list and should (addon 5045)

Several appear on the list that appear to use jars in my local copy and shouldn't be on the list. For most it looks like one of several old versions isn't jar'd while the latest one I've got installed is. That makes the size of the list overly alarming -- hard to pick out the real vulnerabilities if everything is listed.

In two cases cases the version numbers seem to correspond with what I have so I'm stumped.

Shouldn't be on list?
  firebug (1.05 on list, my copy is jar'd)
  useragent switcher (0.6.10 on list, my copy is jar'd)

On list due to old version:
  fotofox (1.0.9 on list, installed 1.0.9.2 is Jar'd)
  Link Widgets (2933) (1.3 on list, installed 1.5 is jar'd)
  Tabs Open Relative (1956) (0.1 on list, installed 0.3 is jar'd)
  Zotero (1.0.0b2 on list, installed 1.0.1 is jar'd)
  Image Zoom (0.2 on list, installed 0.3 is jar'd)
  Linkification (1.3.2 on list, installed 1.3.3 is jar'd)
  Flashblock (1.5.3 on list, installed 1.5.5 is jar'd)
  Operator (0.6.2 on list, installed 0.8 is jar'd)
  Together with Foxkeh (0.1.6.1 on list, installed 0.1.6.2 is jar'd)
  InspectThis (0.2.9 on list, installed 0.3 is jar'd)
  Web Developer Toolbar (1.1.3 on list, installed 1.1.4 is jar'd)
  AdBlock-Plus (0.7.5 on list, installed 0.7.5.3 is jar'd)
  TorButton (1.0.1 on list, installed 1.0.4.01 is jar'd)

That means most of the extensions I have are on the list, while I'm actually only vulnerable from 1/4 of my extensions.
(Assignee)

Comment 8

10 years ago
Created attachment 298893 [details]
grep -r --include=chrome.manifest -e "^content" * | grep -v "jar:"

The -l on the first grep was making the second grep useless.  As far as versions go, I'm not sure how I can guarantee the latest version with just the files.  They all got rsync'd with the same date/time so I'm just grabbing the last file from an `ls` which isn't guaranteed to be the latest.  mrz: does the source have the correct timestamps, and if so, can you re-rsync preserving them?

In the mean time, here is a new list with the greps working together.  Only 601 hits this time.
Attachment #298600 - Attachment is obsolete: true
Thanks!

Comment 10

10 years ago
I ran:

 rsync -av /mnt/netapp/addons.mozilla.org-remora/files khan-vm:/data/remora-files/

which should have preserved timestamps.  Ran it again just now too.

Comment 11

10 years ago
The timestamps on the files now match up to the real timestamps.  It looks like something touches the files, because a lot of them have a modified date of today.

Updated

10 years ago
Group: update-security
(Reporter)

Comment 12

10 years ago
Created attachment 300181 [details]
Cleaned-up list of "flat" addons

Cleaned up the list of "flat" add-ons a bit.

Comment 13

10 years ago
(In reply to comment #12)
> Created an attachment (id=300181) [details]
> Cleaned-up list of "flat" addons
> 
> Cleaned up the list of "flat" add-ons a bit.
> 

Are are all of these extensions you've listed on AMO?  I've got a number of extensions I've gotten elsewhere (e.g. Mahalo follow).  I only manged to have two of the 600+ you have on your list (I have 78 total).




Component: Add-ons → Administration
QA Contact: add-ons → administration
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.