Closed Bug 776731 Opened 12 years ago Closed 12 years ago

cfx xpi should reject update-link without https

Categories

(Add-on SDK Graveyard :: General, defect)

Product:
Add-on SDK Graveyard
Component:
General
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: BenWa, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

Throw if --update-link doesn't start with 'https'
1.45 KB, patch
irakli
: review+
Details | Diff | Splinter Review 
I lost nearly an hour today to find out the reason my addons wasn't compatible with nightly was because the updatelink wasn't https. We should fix this.
According to https://developer.mozilla.org/en/Extension_Versioning,_Update_and_Compatibility#Securing_Updates you can use a plain http link if you supply an updateHash with it. 

Alex, do you know if cfx deals with updateHash correctly?
URL: https://github.com/mozilla/addon-sdk/...
As a point of reference this is the build script I was using with HTTP, note that it's fix on the head revision to use https:
https://github.com/bgirard/PlatformDebug/blob/28dc6627419bc24acfcbc398ecd1e7f7996a4cbb/build.sh

From what I gather it didn't have a chance of working without HTTPS.
This catches it for me in a really quick test addon I through together:

(C:\Users\KWierso\Documents\GitHub\addon-sdk) C:\Users\KWierso\Documents\GitHub\
myaddon>cfx xpi --update-link http://people.mozilla.org/~bgirard/PlatformDebug/P
latformDebug.xpi --update-url http://people.mozilla.org/~bgirard/PlatformDebug/P
latformDebug.update.rdf
Traceback (most recent call last):
  File "C:\Users\KWierso\Documents\GitHub\addon-sdk\bin\cfx", line 33, in <modul
e>
    cuddlefish.run()
  File "C:\Users\KWierso\Documents\GitHub\addon-sdk\python-lib\cuddlefish\__init
__.py", line 741, in run
    raise optparse.OptionValueError("--update-link must start with 'https': %s"
% options.update_link)
optparse.OptionValueError: --update-link must start with 'https': http://people.
mozilla.org/~bgirard/PlatformDebug/PlatformDebug.xpi

(C:\Users\KWierso\Documents\GitHub\addon-sdk) C:\Users\KWierso\Documents\GitHub\
myaddon>cfx xpi --update-link https://people.mozilla.org/~bgirard/PlatformDebug/
PlatformDebug.xpi --update-url https://people.mozilla.org/~bgirard/PlatformDebug
/PlatformDebug.update.rdf
Exporting update description to myaddon.update.rdf.
Exporting extension to myaddon.xpi.
Attachment #645113 - Flags: review?(rFobic)
Attachment #645113 - Flags: review?(rFobic) → review+
Commit pushed to master at https://github.com/mozilla/addon-sdk

https://github.com/mozilla/addon-sdk/commit/84cdc9b0a1f3102764219fcd1f659af2bb4ce6b7
Merge pull request #522 from Gozala/bug/https-update-link@776731

fix Bug 776731 - cfx xpi should reject update-link without https r=@gozala
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: