security exception when checking signature of favicon (?)

RESOLVED FIXED in Firefox 28

Status

()

Firefox for Android
General
RESOLVED FIXED
4 years ago
a year ago

People

(Reporter: martin, Assigned: capella)

Tracking

(Blocks: 1 bug)

23 Branch
Firefox 28
Other
Other
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

4 years ago
Created attachment 791788 [details]
logcat_except_gecko.txt

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130803215302

Steps to reproduce:

Searched websites with "startpage (SSL)" add-on installed. Clicked on any search result.


Actual results:

Logcat shows security exceptions with every website loading.


Expected results:

On the surface everything works as expected. I just worry about the exceptions.
Do you see these when you disable "Startpage (SSL)" ?
(Reporter)

Comment 2

4 years ago
Hi Aaron!

I disabled every add-on and the culprit is "adblock plus". How can I provide further information? Should I contact the developer of "adblock plus"?

Greetz
Martin
It is suggested to file a bug-report over at https://adblockplus.org/forum/viewforum.php?f=11; if the case be that it's an issue on our end discovered in comment, I would imagine we could re-open this.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
(Assignee)

Comment 4

4 years ago
I had filed this previously ... sounds like a dup and we should close that too
https://bugzilla.mozilla.org/show_bug.cgi?id=901939
(Assignee)

Updated

4 years ago
Duplicate of this bug: 901939
(In reply to Aaron Train [:aaronmt] from comment #3)
> It is suggested to file a bug-report over at
> https://adblockplus.org/forum/viewforum.php?f=11;

I disagree - this isn't an Adblock Plus bug. Adblock Plus has been signed correctly but that's not really the point. The problem here is rather that Firefox shouldn't attempt to validate the signature when displaying the extension icon. For reference, the corresponding bug in the desktop Firefox version is bug 726125 which has been resolved a while ago.

Note that my comment is based on the description from bug 901939 which has been resolved as a duplicate of this one - there isn't much of a description here.
Blocks: 467520
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
(Assignee)

Comment 7

4 years ago
Created attachment 820696 [details] [diff] [review]
bug906402 (v0)

If you're saying that we can assume extension icons are trusted sources, we can bypass the security check done in Java and provide a working patch for consideration this way.
(Assignee)

Comment 8

4 years ago
Comment on attachment 820696 [details] [diff] [review]
bug906402 (v0)

Ping mfinkle for feedback, not sure who to check with otherwise
Attachment #820696 - Flags: feedback?(mark.finkle)
(Assignee)

Comment 9

4 years ago
Created attachment 821632 [details] [diff] [review]
bug906402 (v1)

new version tightens it up a bit
Assignee: nobody → markcapella
Status: REOPENED → ASSIGNED
Attachment #821632 - Flags: review?(mark.finkle)
(Assignee)

Updated

4 years ago
Attachment #820696 - Flags: feedback?(mark.finkle)
Comment on attachment 821632 [details] [diff] [review]
bug906402 (v1)

>+                        // Addons, extensions, etc

Let's make the comment a bit more descriptive:

// Don't attempt to validate the JAR signature when loading an add-on icon
Attachment #821632 - Flags: review?(mark.finkle) → review+
(Assignee)

Comment 11

4 years ago
TRY is nice and green: https://tbpl.mozilla.org/?tree=Try&rev=83e7ed66547f
(Assignee)

Comment 12

4 years ago
And on we go https://hg.mozilla.org/integration/fx-team/rev/06e480dedcb0
Adblock plus icons for everyone
https://hg.mozilla.org/mozilla-central/rev/06e480dedcb0
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 28
You need to log in before you can comment on or make changes to this bug.