Closed
Bug 843802
Opened 11 years ago
Closed 11 years ago
Don't accept an appType parameter when sideloading apps.
Categories
(Firefox OS Graveyard :: General, defect)
Tracking
(firefox20 wontfix, firefox21 wontfix, firefox22 fixed, b2g18 fixed, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 wontfix)
RESOLVED
FIXED
B2G C4 (2jan on)
People
(Reporter: fabrice, Assigned: fabrice)
Details
Attachments
(1 file)
10.23 KB,
patch
|
ferjm
:
review+
overholt
:
approval-mozilla-b2g18+
|
Details | Diff | Splinter Review |
Currently the remote sideloading actor honors an "appType" parameter that was designed to let change the application status easily. Unfortunately that can lead to hard to debug conflicts when it's different from the status declared in the manifest. This patch removes the appType parameter and look for the app status in the manifest itself instead.
Attachment #716754 -
Flags: review?(ferjmoreno)
Comment 1•11 years ago
|
||
Comment on attachment 716754 [details] [diff] [review] patch Review of attachment 716754 [details] [diff] [review]: ----------------------------------------------------------------- Looks good. r=me with the comments addressed, please. ::: b2g/chrome/content/dbg-webapps-actors.js @@ +85,5 @@ > message: aMsg > }); > }, > > + _getAppType: function wa_actorGetAppType(aManifest) { We only need the manifest 'type' member, so there is no need to get the whole manifest object as a function parameter. @@ +109,5 @@ > let manFile = aDir.clone(); > manFile.append("manifest.webapp"); > + DOMApplicationRegistry._loadJSONAsync(manFile, function(aManifest) { > + if (!aManifest) { > + self._sendError("Error Parsing manifest.webapp", aId); It seems that we need to early return here... @@ +117,5 @@ > + > + // In production builds, don't allow installation of certified apps. > +#ifdef MOZ_OFFICIAL > + if (appType == Ci.nsIPrincipal.APP_STATUS_CERTIFIED) { > + self._sendError("Installing certified apps is not allowed.", aId); ... and here. @@ +137,3 @@ > > + if (!aMetadata.origin) { > + self._sendError("Missing 'origin' propery in metadata.json", aId); typo: "property" @@ +191,4 @@ > > + DOMApplicationRegistry._loadJSONAsync(manFile, function(aManifest) { > + if (!aManifest) { > + self._sendError("Error Parsing manifest.webapp", aId); return; @@ +198,5 @@ > > + // In production builds, don't allow installation of certified apps. > +#ifdef MOZ_OFFICIAL > + if (appType == Ci.nsIPrincipal.APP_STATUS_CERTIFIED) { > + self._sendError("Installing certified apps is not allowed.", aId); return; @@ +209,5 @@ > + origin: origin, > + installOrigin: origin, > + manifestURL: origin + "/manifest.webapp", > + appStatus: appType > + } missing ;
Attachment #716754 -
Flags: review?(ferjmoreno) → review+
Assignee | ||
Comment 2•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/87be4954d11b
Assignee | ||
Comment 3•11 years ago
|
||
Comment on attachment 716754 [details] [diff] [review] patch NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings. [Approval Request Comment] This patch only deals with a developer facing feature used to sideload apps. It removes a parameter that was designed to allow easy tweaking of the application privilege level, but that ended up leading unexpected app states (eg, privileged permissions but no CSP). We now check everything at install time on the device instead of trusting the sideloading client.
Attachment #716754 -
Flags: approval-mozilla-b2g18?
Comment 4•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/87be4954d11b
Assignee: nobody → fabrice
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Attachment #716754 -
Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
Comment 5•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g18/rev/32b133952b6f
status-b2g18:
--- → fixed
status-b2g18-v1.0.0:
--- → wontfix
status-b2g18-v1.0.1:
--- → wontfix
status-firefox20:
--- → wontfix
status-firefox21:
--- → wontfix
status-firefox22:
--- → fixed
Target Milestone: --- → B2G C4 (2jan on)
You need to log in
before you can comment on or make changes to this bug.
Description
•