Closed
Bug 823691
Opened 12 years ago
Closed 12 years ago
We should catch bad permissions in the manifest during validation
Categories
(Marketplace Graveyard :: Validation, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
2013-01-03
People
(Reporter: krupa.mozbugs, Assigned: basta)
Details
I found a packaged app which upon installation would throw this JS error 12-20 20:48:24.533 E/GeckoConsole( 109): [JavaScript Error: "PermissionsInstaller.jsm: 'device-storage' is not a valid Webapps permission name." {file: "resource://gre/modules/PermissionsInstaller.jsm" line: 122}] We should be more stringent during validation and not allow bad persmissions in the manifest. http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/PermissionsTable.jsm#67
Comment 1•12 years ago
|
||
I like this idea. Jonas - is there any reason not to keep a list of the permissions in the validator and reject apps asking for something not on the list?
Nope, it would be great if we enforce this on the marketplace side! We should definitely not sign any package where there are permissions that don't (yet) have a meaning.
Updated•12 years ago
|
Assignee: nobody → mattbasta
Target Milestone: --- → 2013-01-03
Assignee | ||
Comment 3•12 years ago
|
||
The validator originally did this, but we decided about three months ago not to because the docs don't keep up with the implementation (and we're generally slow to update the validator), meaning folks were getting spurious warnings that the permissions they were using weren't valid permissions. Are you sure that we should reverse this? Is the cost of being a few weeks out of date worth the extra strictness in the long run?
The set of permissions is now pretty stable. Definitely stable enough that being a few weeks out won't be a big deal. We really should never sign an app which contains permissions that we don't understand since that can have unknown security implications for the end user. So if we don't catch this in the validator, we should definitely make sure it gets caught during review.
Assignee | ||
Comment 5•12 years ago
|
||
https://github.com/mozilla/app-validator/commit/ef4e2970ccfffc25e6584c27ec8963f657eeddd6
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 6•12 years ago
|
||
verified fixed at https://marketplace-dev.allizom.org/developers/upload/ebd884e4e624462e9ec765281dc692a4 We are using https://docs.google.com/spreadsheet/ccc?key=0Akyz_Bqjgf5pdENVekxYRjBTX0dCXzItMnRyUU1RQ0E#gid=0?
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•