Closed Bug 725528 Opened 12 years ago Closed 12 years ago

Perform Security Review for DTPT Facebook Tab Phase 2

Categories

(mozilla.org :: Security Assurance: Applications, task)

Product:
mozilla.org
Component:
Security Assurance: Applications
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: ckoehler, Assigned: rforbes)

References

Details

NOTE: Nobox still needs to merge the new tab code into Github. Testing should not begin until that has been done and stage has been updated.

1. A quick intro to what this app does.

This is the second iteration of a Facebook application tab for the DTPT campaign. It should be tested within Facebook.

Description of what the tab does:
https://wiki.mozilla.org/Websites/De_Todos_Para_Todos#Facebook_Tab_Phase_II_mechanics

2. Where is the source code located?

https://github.com/Nobox/Mozilla-DeTodosParaTodos-Site/tree/master/tab

3. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.

Prod URL: http://detodosparatodos.org/tab/
Dev URL: http://detodosparatodos-dev.allizom.org/tab/
Stage URL: http://detodosparatodos.allizom.org/tab/

(Credentials for Dev and Stage on intranet and in bug 701575)

Facebook environment: http://noboxapps.com/mozilla/dtpt_p2/?lang=es

4. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.

Product / Component: Websites :: detodosparatodos.org

CC: ckoehler@mozilla.com, david@nobox.com

Quick link: http://bit.ly/wzAgMg

5. Will this application be collecting any personally identifiable information from users (email address, physical address, phone number, etc)?

No. It does keep a count of how many people add the application to Facebook.

6. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.

The app is meant to be part of the Firefox Facebook page. It does not connect to any other servces besides FB.

7. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.

It supports logins through Facebook (you have to be logged in to Facebook in order to use it). Multiple roles are not supported.

8. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)

If this code were compromised, it could potentionally collect infromation from a user's Facebook profile and post to their Wall.

9. Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?

No.

10. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

As soon as you are able to test.
Depends on: 725696
Depends on: 727104
We've rolled back the new FB tab code temporarily in order to release a hotfix. We should be done with this by the end of today. I'll update this ticket when the app tab is available again for testing on dev and stage.
I included the wrong link to the app within Facebook, here is the correct one:
http://www.facebook.com/NoboxApps?sk=app_135738119881176
Correction, this is the version of the tab that's hosted on our servers:
https://www.facebook.com/NoboxApps?sk=app_388204674540127

You'll be prompted for a username and password. These credentials are the same as the ones for the dev and stage site and you can find them on the intranet or mana and in bug 701575.
Any update on when this is scheduled to happen? QA review has completed.
:ckoehler i went through the code and I have only one concern so far.  The php line that loads the language does no checking to validate the php is a valid language file.  As it stands, this isn't a huge deal as the app supports one language and that language is hard coded into the app.  What is the thought when you want to add more languages?
(In reply to Raymond Forbes[:rforbes] from comment #6)
> :ckoehler i went through the code and I have only one concern so far.  The
> php line that loads the language does no checking to validate the php is a
> valid language file.  As it stands, this isn't a huge deal as the app
> supports one language and that language is hard coded into the app.  What is
> the thought when you want to add more languages?

Good question; This campaign is specifically targeted for the Latin American market, so I think it's very unlikely that additional languages will be added.
do you not see a need for both Spanish and Portuguese?
Assignee: infrasec → rforbes
(In reply to Raymond Forbes[:rforbes] from comment #8)
> do you not see a need for both Spanish and Portuguese?

The app does support pt-br and es-ar (that's what the 'Argentina' and 'Brasil' links are in the upper-right corner).
Hi everyone. This tab is only intended to be in Spanish and Portuguese since this is a LATAM-specific effort. Let us know if you have any questions. Would love to go Live with this Monday. We have a media campaign pending going live with this tab that would be great to launch soon.
you look good.  go ahead and launch this.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Keywords: sec-review-needed
Whiteboard: [pending secreview]
You need to log in before you can comment on or make changes to this bug.