Closed Bug 878105 Opened 11 years ago Closed 11 years ago

Ensure origin for packaged app is unique

Categories

(Marketplace Graveyard :: Developer Pages, defect, P1)

Product:
Marketplace Graveyard
Component:
Developer Pages
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
2013-07-18

People

(Reporter: andy+bugzilla, Assigned: robhudson)

References

Details

In bug 852720 packaged apps were allowed to have an origin in the manifest. This is for the developer tools to ensure that if an origin is present on a packaged app, it is unique within the marketplace.
Why do we need them to be unique?
I'm trying to remember the security meeting, I was wonder the impression we didn't want colliding origins. But I can't remember exactly, Raymond can you remember.

If they aren't unique, I can't use them for receipts and would have to use something else.
Flags: needinfo?(rforbes)
Blocks: 867265
Nevermind, https://bugzilla.mozilla.org/show_bug.cgi?id=879437#c13 says they are unique
No longer blocks: 867265
Flags: needinfo?(rforbes)
Priority: -- → P1
Blocks: 867265
When the switch 'webapps-unique-by-domain' is enabled this already happens. Should we separate packaged app origins from this switch so they are always unique? Seems like a good idea to me.
Assignee: nobody → robhudson.mozbugs
https://github.com/mozilla/zamboni/commit/19e7156
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2013-06-27
Please add STR here or mark it with [qa-] if no QA is needed.
To verify:
Submit a packaged app with an origin. Try to submit a 2nd packaged app with that same origin. You should get an error at submission time.
I tried to submit a 2nd packaged app with the same origin, and after I clicked contine, it just refreshed the submission page and no error message was displayed. I got the same behavior after submitting a packaged app with an invalid origin. Verified in https://marketplace-dev.allizom.org/developers/submit/ on FF25 (Win 7)
Please see screencast http://screencast.com/t/8LJxXDTdXQwQ
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 2013-06-27 → 2013-07-18
I started working on this and it's more complicated than it seems. (Likewise for bug 892694 when we get to it).

The reason is we're validating a zip file before we actually save it. If the zip file is bad we want to toss it away and only create the FileUpload record that has the validation results with it. If the file size is < 2.5MB Django keeps it in memory but parse_addon requires a file on disk.

The form is going to have to check if it's an in-memory file and if so, create the file on disk to pass it to parse_addon in order to get the origin out of it.

The most straightforward approach is to do the above in the form -- make a tempfile, parse it, then throw it away when done.

But I'm also wondering if it might be nice to update our SafeUnzip library to take a file-like object and not assume a file on disk so we can pull this file out and handle it all in-memory.
I went with the in-memory approach:
https://github.com/mozilla/zamboni/commit/29960747
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Verified as fixed in https://marketplace-dev.allizom.org/developers/submit/ on FF25 (Win 7).
Postfix screencast http://screencast.com/t/yn2fSEQD
Closing bug.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.