Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 413549 - Grep Addons for packages not using .jar
: Grep Addons for packages not using .jar
Product: Graveyard
Classification: Graveyard
Component: Administration (show other bugs)
: unspecified
: All Other
: -- critical
: ---
Assigned To: Wil Clouser [:clouserw]
Depends on:
  Show dependency treegraph
Reported: 2008-01-22 13:42 PST by Brandon Sterne (:bsterne)
Modified: 2016-03-07 07:30 PST (History)
12 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---

grep -r -l --include=chrome.manifest -e "^content" * | grep -v "jar:" (86.23 KB, text/plain)
2008-01-22 17:17 PST, Wil Clouser [:clouserw]
no flags Details
grep -r --include=chrome.manifest -e "^content" * | grep -v "jar:" (58.84 KB, text/plain)
2008-01-24 00:44 PST, Wil Clouser [:clouserw]
no flags Details
Cleaned-up list of "flat" addons (14.87 KB, text/plain)
2008-01-29 16:32 PST, Brandon Sterne (:bsterne)
no flags Details

Description Brandon Sterne (:bsterne) 2008-01-22 13:42:27 PST
Please grep within all extensions' chrome.manifest files for lines beginning with "contents" and not containing the string "jar:", e.g.

grep "^content" */chrome.manifest | grep -v "jar:"
Comment 1 Brandon Sterne (:bsterne) 2008-01-22 13:45:52 PST
FYI, there was a a vulnerability in Firefox posted on Full Disclosure and others that allows directory traversal on machines that have Firefox extensions installed which utilize flat directory structure instead of .jar archives:
Comment 2 Wil Clouser [:clouserw] 2008-01-22 14:12:32 PST
It's been a long time since we got an updated copy of the addons on remora.  Can we get rsync'd to khan-vm:/data/remora-files/ please?  (On a cron job would be awesome, but once will get this bug resolved.)
Comment 3 matthew zeier [:mrz] 2008-01-22 14:21:49 PST
rsync running right now...
Comment 4 Wil Clouser [:clouserw] 2008-01-22 15:10:38 PST
(In reply to comment #3)
> rsync running right now...

Once it's done, I'll take the bug.
Comment 5 matthew zeier [:mrz] 2008-01-22 15:59:11 PST
Comment 6 Wil Clouser [:clouserw] 2008-01-22 17:17:29 PST
Created attachment 298600 [details]
grep -r -l --include=chrome.manifest -e "^content" * | grep -v "jar:"

Total of 3010 addons.  After all .xpi's and .jar's were extracted, there are 1441 hits off of a total of 1523 chrome.manifest files.  I had to change the command you gave me, so make sure it's what you wanted:

  grep -r -l --include=chrome.manifest -e "^content" * | grep -v "jar:"

The output is attached.  Format is:

Comment 7 Daniel Veditz [:dveditz] 2008-01-24 00:28:32 PST
There's something wrong with the data: I have several of those add-ons and they appear to be jar'd.

Of the un-jar'd ones I have, Intuit's Thumbstrips does not appear on the list and should (addon 5045)

Several appear on the list that appear to use jars in my local copy and shouldn't be on the list. For most it looks like one of several old versions isn't jar'd while the latest one I've got installed is. That makes the size of the list overly alarming -- hard to pick out the real vulnerabilities if everything is listed.

In two cases cases the version numbers seem to correspond with what I have so I'm stumped.

Shouldn't be on list?
  firebug (1.05 on list, my copy is jar'd)
  useragent switcher (0.6.10 on list, my copy is jar'd)

On list due to old version:
  fotofox (1.0.9 on list, installed is Jar'd)
  Link Widgets (2933) (1.3 on list, installed 1.5 is jar'd)
  Tabs Open Relative (1956) (0.1 on list, installed 0.3 is jar'd)
  Zotero (1.0.0b2 on list, installed 1.0.1 is jar'd)
  Image Zoom (0.2 on list, installed 0.3 is jar'd)
  Linkification (1.3.2 on list, installed 1.3.3 is jar'd)
  Flashblock (1.5.3 on list, installed 1.5.5 is jar'd)
  Operator (0.6.2 on list, installed 0.8 is jar'd)
  Together with Foxkeh ( on list, installed is jar'd)
  InspectThis (0.2.9 on list, installed 0.3 is jar'd)
  Web Developer Toolbar (1.1.3 on list, installed 1.1.4 is jar'd)
  AdBlock-Plus (0.7.5 on list, installed is jar'd)
  TorButton (1.0.1 on list, installed is jar'd)

That means most of the extensions I have are on the list, while I'm actually only vulnerable from 1/4 of my extensions.
Comment 8 Wil Clouser [:clouserw] 2008-01-24 00:44:42 PST
Created attachment 298893 [details]
grep -r --include=chrome.manifest -e "^content" * | grep -v "jar:"

The -l on the first grep was making the second grep useless.  As far as versions go, I'm not sure how I can guarantee the latest version with just the files.  They all got rsync'd with the same date/time so I'm just grabbing the last file from an `ls` which isn't guaranteed to be the latest.  mrz: does the source have the correct timestamps, and if so, can you re-rsync preserving them?

In the mean time, here is a new list with the greps working together.  Only 601 hits this time.
Comment 9 Daniel Veditz [:dveditz] 2008-01-24 02:25:43 PST
Comment 10 matthew zeier [:mrz] 2008-01-24 09:52:05 PST
I ran:

 rsync -av /mnt/netapp/ khan-vm:/data/remora-files/

which should have preserved timestamps.  Ran it again just now too.
Comment 11 Jeremy Orem [:oremj] 2008-01-24 09:54:18 PST
The timestamps on the files now match up to the real timestamps.  It looks like something touches the files, because a lot of them have a modified date of today.
Comment 12 Brandon Sterne (:bsterne) 2008-01-29 16:32:15 PST
Created attachment 300181 [details]
Cleaned-up list of "flat" addons

Cleaned up the list of "flat" add-ons a bit.
Comment 13 Scott 2008-01-30 10:51:26 PST
(In reply to comment #12)
> Created an attachment (id=300181) [details]
> Cleaned-up list of "flat" addons
> Cleaned up the list of "flat" add-ons a bit.

Are are all of these extensions you've listed on AMO?  I've got a number of extensions I've gotten elsewhere (e.g. Mahalo follow).  I only manged to have two of the 600+ you have on your list (I have 78 total).

Note You need to log in before you can comment on or make changes to this bug.