Closed
Bug 537030
Opened 16 years ago
Closed 16 years ago
src param not trickling down EULA
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
5.5
People
(Reporter: fligtar, Assigned: rdoherty)
References
()
Details
(Keywords: regression)
Attachments
(1 file, 1 obsolete file)
|
3.04 KB,
patch
|
clouserw
:
review+
|
Details | Diff | Splinter Review |
The src param should trickle to the install button on the EULA page.
https://addons.mozilla.org/en-US/firefox/addons/policy/0/52659/71526?src=recommended
|
Reporter | |
Updated•16 years ago
|
Keywords: regression
|
|
Reporter | |
Comment 1•16 years ago
|
||
Can we please fix this for 5.5?
|
Assignee | |
Updated•16 years ago
|
Assignee: nobody → rdoherty
|
|
Assignee | |
Comment 2•16 years ago
|
||
Attachment #419976 -
Flags: review?(clouserw)
|
||
Comment 3•16 years ago
|
||
Comment on attachment 419976 [details] [diff] [review]
v1
>- if (array_key_exists('src', $_GET) && in_array($_GET['src'], array('addondetail'))) {
>+ if (array_key_exists('src', $_GET)) {
The in_array() keeps it from becoming an injection hole. However, I think you've found the easy 1-line fix spot. We just need to expand what in_array() is checking.
Attachment #419976 -
Flags: review?(clouserw) → review-
|
|
Assignee | |
Comment 4•16 years ago
|
||
Attachment #419976 -
Attachment is obsolete: true
Attachment #419989 -
Flags: review?(clouserw)
|
|
Assignee | |
Comment 5•16 years ago
|
||
(In reply to comment #4)
> Created an attachment (id=419989) [details]
> v2
Added urlencode to appendParametersToUrl(). I don't think a whitelist will work for us b/c people can always add a src that will start with 'external-'.
|
|
||
Comment 6•16 years ago
|
||
Comment on attachment 419989 [details] [diff] [review]
v2
I think that'll work, thanks
Attachment #419989 -
Flags: review?(clouserw) → review+
|
|
Assignee | |
Comment 7•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 8•16 years ago
|
||
Is testing on https://preview.addons.mozilla.org/en-US/firefox/addons/policy/0/11730/53612?src=developers enough, or should I test all the various src=parameters?
|
|
Assignee | |
Comment 9•16 years ago
|
||
(In reply to comment #8)
> Is testing on
> https://preview.addons.mozilla.org/en-US/firefox/addons/policy/0/11730/53612?src=developers
> enough, or should I test all the various src=parameters?
Any src should work, there's no validation, just escaping of the entered src.
Thx, Ryan: verified on a couple, at least:
* https://preview.addons.mozilla.org/en-US/firefox/addons/policy/0/43603/66437?src=homepagebrowse
* https://preview.addons.mozilla.org/en-US/firefox/addons/policy/0/11730/53612?src=developers
Status: RESOLVED → VERIFIED
|
||
Updated•10 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•