588220 - Plugin not detected when only release is vulnerable and platform specific

Status: VERIFIED FIXED

(Websites :: plugins.mozilla.org, defect)

Description

[Ryan Doherty (:rdoherty)]

STR:

1) Create a plugin with only 1 release, mark as vulnerable and set OS name to your os (https://plugins.stage.mozilla.com/en-us/plugins/detail/apple-quicktime;edit) . This is to reproduce conditions necessary for bug 565398 (latest release of a plugin for your OS is vulnerable and should be disabled)

2) Go to http://www-trunk.stage.mozilla.com/en-US/plugincheck/ , see that the plugin is not listed even though it is installed. (Perfidies lists quicktime 7.6.6.0 on my machine)

I do see the ajax request going to plugins.mozilla.org for quicktime and a normal (afaik) response coming back with the plugin details.


I'm not sure what's going on, this might be related to bug 565398 as it's what I was testing when I discovered this bug.

Comment 1

[Ryan Doherty (:rdoherty)]

Attachment: screenshot of detected plugins on plugin check vs perfidies

Comment 2

[Austin King [:ozten]]

(In reply to comment #0)
I think this is a backend issue. 

The following returns info for 1 plugin (VLC) but not QuickTime as expected:

http://plugins.stage.mozilla.com/pfs/v2?appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D&appRelease=3.6.8&appVersion=20100722150226&clientOS=Intel+Mac+OS+X+10.5&chromeLocale=en-US&detection=original&mimetype=application%2Fsdp+application%2Fx-sdp+application%2Fx-rtsp+video%2Fquicktime+video%2Fx-msvideo+video%2Fmsvideo+video%2Favi+video%2Fflc+application%2Fx-ogg+application%2Fogg+video%2Fx-ogg+video%2Fogg+application%2Fx-annodex+application%2Fannodex+video%2Fx-annodex+video%2Fannodex+audio%2Fx-wav+audio%2Fwav+audio%2Faiff+audio%2Fx-aiff+audio%2Fbasic+audio%2Fmid+audio%2Fx-midi+audio%2Fmidi+audio%2Fvnd.qcelp+audio%2Fx-gsm+audio%2FAMR+audio%2Faac+audio%2Fx-aac+audio%2Fx-caf+audio%2Fac3+audio%2Fx-ac3+audio%2Fx-ogg+audio%2Fogg+audio%2Fx-speex+audio%2Fspeex+audio%2Fx-annodex+audio%2Fannodex+video%2Fx-mpeg+video%2Fmpeg+audio%2Fmpeg+audio%2Fx-mpeg+video%2F3gpp+audio%2F3gpp+video%2F3gpp2+audio%2F3gpp2+video%2Fsd-video+application%2Fx-mpeg+video%2Fmp4+audio%2Fmp4+audio%2Fx-m4a+audio%2Fx-m4p+audio%2Fx-m4b+video%2Fx-m4v+audio%2Fmp3+audio%2Fx-mp3+audio%2Fmpeg3+audio%2Fx-mpeg3+image%2Fx-bmp+image%2Fx-macpaint+image%2Fpict+image%2Fx-pict+image%2Fpng+image%2Fx-png+image%2Fx-quicktime+image%2Fx-sgi+image%2Fx-targa+image%2Ftiff+image%2Fx-tiff+image%2Fjp2+image%2Fjpeg2000+image%2Fjpeg2000-image+image%2Fx-jpeg2000-image&callback=C

Oddly if you replace the detection type with version_detection then *you do* get the QuickTime release... Tested this for fun, we don't send version_detection currently since this is detected via pinlady.net

Comment 3

[Les Orchard [:lorchard]]

I'm not sure what the backend bug is - what was the expected output? 

This is what I get for the above URL, which does include a latest release for Quicktime, marked as "maybe_vulnerable": 

$ curl -s 'http://plugins.stage.mozilla.com/pfs/v2?appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D&appRelease=3.6.8&appVersion=20100722150226&clientOS=Intel+Mac+OS+X+10.5&chromeLocale=en-US&detection=original&mimetype=application%2Fsdp+application%2Fx-sdp+application%2Fx-rtsp+video%2Fquicktime+video%2Fx-msvideo+video%2Fmsvideo+video%2Favi+video%2Fflc+application%2Fx-ogg+application%2Fogg+video%2Fx-ogg+video%2Fogg+application%2Fx-annodex+application%2Fannodex+video%2Fx-annodex+video%2Fannodex+audio%2Fx-wav+audio%2Fwav+audio%2Faiff+audio%2Fx-aiff+audio%2Fbasic+audio%2Fmid+audio%2Fx-midi+audio%2Fmidi+audio%2Fvnd.qcelp+audio%2Fx-gsm+audio%2FAMR+audio%2Faac+audio%2Fx-aac+audio%2Fx-caf+audio%2Fac3+audio%2Fx-ac3+audio%2Fx-ogg+audio%2Fogg+audio%2Fx-speex+audio%2Fspeex+audio%2Fx-annodex+audio%2Fannodex+video%2Fx-mpeg+video%2Fmpeg+audio%2Fmpeg+audio%2Fx-mpeg+video%2F3gpp+audio%2F3gpp+video%2F3gpp2+audio%2F3gpp2+video%2Fsd-video+application%2Fx-mpeg+video%2Fmp4+audio%2Fmp4+audio%2Fx-m4a+audio%2Fx-m4p+audio%2Fx-m4b+video%2Fx-m4v+audio%2Fmp3+audio%2Fx-mp3+audio%2Fmpeg3+audio%2Fx-mpeg3+image%2Fx-bmp+image%2Fx-macpaint+image%2Fpict+image%2Fx-pict+image%2Fpng+image%2Fx-png+image%2Fx-quicktime+image%2Fx-sgi+image%2Fx-targa+image%2Ftiff+image%2Fx-tiff+image%2Fjp2+image%2Fjpeg2000+image%2Fjpeg2000-image+image%2Fx-jpeg2000-image' | prettyjson
[
    {
        "releases": {
            "others": [], 
            "latest": {
                "app_release": "*", 
                "fetched": "2010-08-19T18:21:51-07:00", 
                "version": "7.6.6.0", 
                "locale": "*", 
                "app_id": "*", 
                "detection_type": "*", 
                "guid": "{a42bb825-7eee-420f-8ee7-834062b6fefd}", 
                "id": "8", 
                "pfs_id": "apple-quicktime", 
                "manual_installation_url": "http://www.apple.com/quicktime/download/", 
                "os_id": "10", 
                "relevance": 6, 
                "plugin_id": "29", 
                "app_version": "*", 
                "status": "maybe_vulnerable", 
                "os_name": "Intel Mac OS X 10.5", 
                "vendor": "Apple", 
                "detected_version": "7.6.6.0", 
                "name": "QuickTime Plug-in", 
                "created": "2010-08-18T05:34:10+00:00", 
                "url": "http://www.apple.com/quicktime/download/", 
                "modified": "2010-08-18T05:34:10+00:00", 
                "platform_id": "8"
            }
        }, 
        "aliases": {
            "regex": [
                ".*QuickTime.*", 
                ".*QuickTime.*", 
                ".*QuickTime.*"
            ], 
            "literal": [
                "QuickTime Plug-in", 
                "QuickTime Plug-in", 
                "QuickTime Plug-in 7.6.3", 
                "QuickTime Plug-in"
            ]
        }
    }, 
    {
        "releases": {
            "others": [], 
            "latest": {
                "status": "latest", 
                "app_release": "*", 
                "os_name": "*", 
                "vendor": "VideoLAN Project", 
                "name": "VLC Multimedia Plug-in", 
                "created": "2010-07-15T04:54:45+00:00", 
                "url": "http://www.videolan.org/vlc/", 
                "fetched": "2010-08-19T18:21:51-07:00", 
                "modified": "2010-07-15T04:54:45+00:00", 
                "app_id": "*", 
                "platform_id": "8", 
                "locale": "*", 
                "detection_type": "*", 
                "os_id": "1", 
                "version": "1.0.2", 
                "relevance": 1, 
                "app_version": "*", 
                "plugin_id": "16", 
                "detected_version": "1.0.2", 
                "id": "8", 
                "pfs_id": "videolan-vlc"
            }
        }, 
        "aliases": {
            "literal": [
                "VLC Multimedia Plug-in"
            ]
        }
    }
]

Comment 4

[Austin King [:ozten]]

(In reply to comment #3)
I wasn't seeing this maybe_vulnerable status. I'll test this tomorrow morning.

Comment 5

[Austin King [:ozten]]

Now that I'm seeing QuickTime, I can repro the issue. I'm working on a patch.

Comment 6

[Austin King [:ozten]]

r72620

Comment 7

[Stephen Donner [:stephend] Not actively reading bugmail]

Verified FIXED for me on https://www-trunk.stage.mozilla.com/en-US/plugincheck/