Closed Bug 455074 Opened 16 years ago Closed 16 years ago

Using direct links to install xpi files circumvents web site policy check

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 322697

People

(Reporter: whimboo, Unassigned)

References

(
URL
)

Details

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.3pre) Gecko/2008090704 GranParadiso/3.0.3pre ID:2008090704

The installation of Add-ons should only be enabled for authorized web sites. For a fresh profile addons.mozilla.org and update.mozilla.org will be authorized. If users decide to allow other sites they have to explicitly add these sites to the exception list.

If a XPI installation is triggered from a non-authorized site the notification bar appears and asks the user to allow the installation. He can agree and click on Allow to initiate the installation. Clicking the close button cancels the installation. This works fine for e.g. http://extensions.de/#menueextension

But the problem is that everyone can circumvent this policy check by simply let the user open the direct link. Whatever external application (instant messenger, e-mail client) is used, Firefox has only to be set as the systems default browser. The XPI installation dialog is shown and automatically sets the focus to the installation button after the countdown has finished. An accidentally click will cause the installation of a probably non-secure Add-on from a untrusted web site.

The following steps show the problem:
1. Create a fresh profile
2. Copy the following URL to your clipboard
3. Open a new tab and paste the URL into the locationbar
4. Hit Enter

URL: http://downloads.mozdev.org/messageidfinder/messageidfinder-2.0.0.xpi

Instead of warning the user that an Add-on from an untrusted web site will be installed the installation dialog pops-up and wants to install the Add-on.

If the given URL is opened by clicking on it, the notification bar appears as expected.

The described behavior can be seen with each version of Firefox back to Firefox 2 and on all Platforms/OS.

No idea how confidential this issue is so I'll set the security flag.
Flags: blocking1.9.1?
not sure if Henrik meant to cc me, or Sam Sidler, so adding him.
I think this bug is WONTFIX: the purpose of the whitelist is to prevent websites from being annoying or pushing extensions without sufficient user awareness. If you click on an XPI link from a third-party application, you at least get the "you are installing software" dialog. Is that insufficient?
Group: core-security
This is as-designed.

The whitelist prevents a website from abusing a user with install requests, but a user typing (or bookmarking) an install link shows intent on the user's part. The actual security check is the install confirmation dialog just in case the user didn't realize the link was an installer.

There might be a problem if an external app can abusively call firefox with install links, but that would be abusive behavior even if it were safe web content links.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Flags: blocking1.9.1?
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.