Anyone can access previous versions of a packaged app.

RESOLVED WONTFIX

Status

Marketplace
Security
RESOLVED WONTFIX
5 years ago
5 years ago

People

(Reporter: \, Unassigned)

Tracking

Points:
---

Details

Example: The current version of the calculator app is version 1.1.  You can still download version 1.0 by visiting:

https://marketplace.firefox.com/downloads/file/191744/calculator-2-1.0.zip?src=

I think that this is a bad idea, because if 1.0 had a known vulnerability or flaw, say involving payments, new users could still install the older flawed versions instead of the latest fixed version.  This wont solve the issue with getting current installs updated, but we shouldn't be trying to force existing users to update.

The only way around this currently is for developers to delete the previous version of their app.  We don't document this, so it might be better to make the old version links only available to the authenticated author and/or marketplace admins.

To view the previous version links:

1. Go to https://marketplace.firefox.com/
2. Sign in
3. Visit my submissions
4. Visit a submitted app that has multiple versions
5. Visit Manage Status & Versions

You can then get the links to prior versions by clicking Download for prior versions.
There are reasons that a person would want to access older versions of an app (incompatibility with new devices, people who don't want to accept new TOS, etc.).  If there is a security problem we should remove that version, but removing access to all older versions seems a bit heavy handed.  I'd like to wontfix this.  Andrew: any opinion here?
If a user can figure out how to serve up a mini manifest off our domain with it pointing to an `package_path` for an older `.zip`, I would be so hella impressed. I vote WONTFIX.
yeah, agree with cvan and Wil.  We don't expose these old downloads anywhere so I think there is little risk any naive user would accidentally install them. 
vote WONTFIX.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.