Closed
Bug 537030
Opened 15 years ago
Closed 15 years ago
src param not trickling down EULA
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
5.5
People
(Reporter: fligtar, Assigned: rdoherty)
References
()
Details
(Keywords: regression)
Attachments
(1 file, 1 obsolete file)
|
3.04 KB,
patch
|
clouserw
:
review+
|
Details | Diff | Splinter Review |
The src param should trickle to the install button on the EULA page. https://addons.mozilla.org/en-US/firefox/addons/policy/0/52659/71526?src=recommended
|
Reporter | |
Updated•15 years ago
|
Keywords: regression
|
|
Reporter | |
Comment 1•15 years ago
|
||
Can we please fix this for 5.5?
|
Assignee | |
Updated•15 years ago
|
Assignee: nobody → rdoherty
|
|
Assignee | |
Comment 2•15 years ago
|
||
Attachment #419976 -
Flags: review?(clouserw)
|
||
Comment 3•15 years ago
|
||
Comment on attachment 419976 [details] [diff] [review] v1 >- if (array_key_exists('src', $_GET) && in_array($_GET['src'], array('addondetail'))) { >+ if (array_key_exists('src', $_GET)) { The in_array() keeps it from becoming an injection hole. However, I think you've found the easy 1-line fix spot. We just need to expand what in_array() is checking.
Attachment #419976 -
Flags: review?(clouserw) → review-
|
|
Assignee | |
Comment 4•15 years ago
|
||
Attachment #419976 -
Attachment is obsolete: true
Attachment #419989 -
Flags: review?(clouserw)
|
|
Assignee | |
Comment 5•15 years ago
|
||
(In reply to comment #4) > Created an attachment (id=419989) [details] > v2 Added urlencode to appendParametersToUrl(). I don't think a whitelist will work for us b/c people can always add a src that will start with 'external-'.
|
|
||
Comment 6•15 years ago
|
||
Comment on attachment 419989 [details] [diff] [review] v2 I think that'll work, thanks
Attachment #419989 -
Flags: review?(clouserw) → review+
|
|
Assignee | |
Comment 7•15 years ago
|
||
r58928
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Comment 8•15 years ago
|
||
Is testing on https://preview.addons.mozilla.org/en-US/firefox/addons/policy/0/11730/53612?src=developers enough, or should I test all the various src=parameters?
|
|
Assignee | |
Comment 9•15 years ago
|
||
(In reply to comment #8) > Is testing on > https://preview.addons.mozilla.org/en-US/firefox/addons/policy/0/11730/53612?src=developers > enough, or should I test all the various src=parameters? Any src should work, there's no validation, just escaping of the entered src.
Thx, Ryan: verified on a couple, at least: * https://preview.addons.mozilla.org/en-US/firefox/addons/policy/0/43603/66437?src=homepagebrowse * https://preview.addons.mozilla.org/en-US/firefox/addons/policy/0/11730/53612?src=developers
Status: RESOLVED → VERIFIED
|
||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•