Closed Bug 413549 Opened 17 years ago Closed 17 years ago

Grep Addons for packages not using .jar


( Graveyard :: Administration, defect)

Not set


(Not tracked)



(Reporter: bsterne, Assigned: clouserw)



(2 files, 1 obsolete file)

Please grep within all extensions' chrome.manifest files for lines beginning with "contents" and not containing the string "jar:", e.g.

grep "^content" */chrome.manifest | grep -v "jar:"
FYI, there was a a vulnerability in Firefox posted on Full Disclosure and others that allows directory traversal on machines that have Firefox extensions installed which utilize flat directory structure instead of .jar archives:
Severity: blocker → critical
It's been a long time since we got an updated copy of the addons on remora.  Can we get rsync'd to khan-vm:/data/remora-files/ please?  (On a cron job would be awesome, but once will get this bug resolved.)
Assignee: server-ops → nobody
Group: infra
Component: Server Operations → Add-ons
Product: →
QA Contact: justin → add-ons
Version: other → unspecified
rsync running right now...
(In reply to comment #3)
> rsync running right now...

Once it's done, I'll take the bug.
Assignee: nobody → clouserw
Total of 3010 addons.  After all .xpi's and .jar's were extracted, there are 1441 hits off of a total of 1523 chrome.manifest files.  I had to change the command you gave me, so make sure it's what you wanted:

  grep -r -l --include=chrome.manifest -e "^content" * | grep -v "jar:"

The output is attached.  Format is:

Group: update-security
Closed: 17 years ago
Resolution: --- → FIXED
There's something wrong with the data: I have several of those add-ons and they appear to be jar'd.

Of the un-jar'd ones I have, Intuit's Thumbstrips does not appear on the list and should (addon 5045)

Several appear on the list that appear to use jars in my local copy and shouldn't be on the list. For most it looks like one of several old versions isn't jar'd while the latest one I've got installed is. That makes the size of the list overly alarming -- hard to pick out the real vulnerabilities if everything is listed.

In two cases cases the version numbers seem to correspond with what I have so I'm stumped.

Shouldn't be on list?
  firebug (1.05 on list, my copy is jar'd)
  useragent switcher (0.6.10 on list, my copy is jar'd)

On list due to old version:
  fotofox (1.0.9 on list, installed is Jar'd)
  Link Widgets (2933) (1.3 on list, installed 1.5 is jar'd)
  Tabs Open Relative (1956) (0.1 on list, installed 0.3 is jar'd)
  Zotero (1.0.0b2 on list, installed 1.0.1 is jar'd)
  Image Zoom (0.2 on list, installed 0.3 is jar'd)
  Linkification (1.3.2 on list, installed 1.3.3 is jar'd)
  Flashblock (1.5.3 on list, installed 1.5.5 is jar'd)
  Operator (0.6.2 on list, installed 0.8 is jar'd)
  Together with Foxkeh ( on list, installed is jar'd)
  InspectThis (0.2.9 on list, installed 0.3 is jar'd)
  Web Developer Toolbar (1.1.3 on list, installed 1.1.4 is jar'd)
  AdBlock-Plus (0.7.5 on list, installed is jar'd)
  TorButton (1.0.1 on list, installed is jar'd)

That means most of the extensions I have are on the list, while I'm actually only vulnerable from 1/4 of my extensions.
The -l on the first grep was making the second grep useless.  As far as versions go, I'm not sure how I can guarantee the latest version with just the files.  They all got rsync'd with the same date/time so I'm just grabbing the last file from an `ls` which isn't guaranteed to be the latest.  mrz: does the source have the correct timestamps, and if so, can you re-rsync preserving them?

In the mean time, here is a new list with the greps working together.  Only 601 hits this time.
Attachment #298600 - Attachment is obsolete: true
I ran:

 rsync -av /mnt/netapp/ khan-vm:/data/remora-files/

which should have preserved timestamps.  Ran it again just now too.
The timestamps on the files now match up to the real timestamps.  It looks like something touches the files, because a lot of them have a modified date of today.
Group: update-security
Cleaned up the list of "flat" add-ons a bit.
(In reply to comment #12)
> Created an attachment (id=300181) [details]
> Cleaned-up list of "flat" addons
> Cleaned up the list of "flat" add-ons a bit.

Are are all of these extensions you've listed on AMO?  I've got a number of extensions I've gotten elsewhere (e.g. Mahalo follow).  I only manged to have two of the 600+ you have on your list (I have 78 total).

Component: Add-ons → Administration
QA Contact: add-ons → administration
Product: → Graveyard
You need to log in before you can comment on or make changes to this bug.