The default bug view has changed. See this FAQ.

We should catch bad permissions in the manifest during validation

VERIFIED FIXED in 2013-01-03

Status

Marketplace
Validation
VERIFIED FIXED
4 years ago
4 years ago

People

(Reporter: krupa, Assigned: basta)

Tracking

2013-01-03
Points:
---

Details

(Reporter)

Description

4 years ago
I found a packaged app which upon installation would throw this JS error

12-20 20:48:24.533 E/GeckoConsole(  109): [JavaScript Error: "PermissionsInstaller.jsm: 'device-storage' is not a valid Webapps permission name." {file: "resource://gre/modules/PermissionsInstaller.jsm" line: 122}]

We should be more stringent during validation and not allow bad persmissions in the manifest. 

http://mxr.mozilla.org/mozilla-central/source/dom/apps/src/PermissionsTable.jsm#67
I like this idea.  Jonas - is there any reason not to keep a list of the permissions in the validator and reject apps asking for something not on the list?
Nope, it would be great if we enforce this on the marketplace side! We should definitely not sign any package where there are permissions that don't (yet) have a meaning.
Assignee: nobody → mattbasta
Target Milestone: --- → 2013-01-03
(Assignee)

Comment 3

4 years ago
The validator originally did this, but we decided about three months ago not to because the docs don't keep up with the implementation (and we're generally slow to update the validator), meaning folks were getting spurious warnings that the permissions they were using weren't valid permissions.

Are you sure that we should reverse this? Is the cost of being a few weeks out of date worth the extra strictness in the long run?
The set of permissions is now pretty stable. Definitely stable enough that being a few weeks out won't be a big deal.

We really should never sign an app which contains permissions that we don't understand since that can have unknown security implications for the end user. So if we don't catch this in the validator, we should definitely make sure it gets caught during review.
(Assignee)

Comment 5

4 years ago
https://github.com/mozilla/app-validator/commit/ef4e2970ccfffc25e6584c27ec8963f657eeddd6
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(Reporter)

Comment 6

4 years ago
verified fixed at https://marketplace-dev.allizom.org/developers/upload/ebd884e4e624462e9ec765281dc692a4

We are using https://docs.google.com/spreadsheet/ccc?key=0Akyz_Bqjgf5pdENVekxYRjBTX0dCXzItMnRyUU1RQ0E#gid=0?
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.