Closed Bug 906402 Opened 6 years ago Closed 6 years ago

security exception when checking signature of favicon (?)

Categories

(Firefox for Android :: General, defect)

23 Branch
Other
Other
defect
Not set

Tracking

()

RESOLVED FIXED
Firefox 28

People

(Reporter: bugs.m1, Assigned: capella)

References

Details

Attachments

(3 files)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130803215302

Steps to reproduce:

Searched websites with "startpage (SSL)" add-on installed. Clicked on any search result.


Actual results:

Logcat shows security exceptions with every website loading.


Expected results:

On the surface everything works as expected. I just worry about the exceptions.
Do you see these when you disable "Startpage (SSL)" ?
Hi Aaron!

I disabled every add-on and the culprit is "adblock plus". How can I provide further information? Should I contact the developer of "adblock plus"?

Greetz
Martin
It is suggested to file a bug-report over at https://adblockplus.org/forum/viewforum.php?f=11; if the case be that it's an issue on our end discovered in comment, I would imagine we could re-open this.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
I had filed this previously ... sounds like a dup and we should close that too
https://bugzilla.mozilla.org/show_bug.cgi?id=901939
Duplicate of this bug: 901939
(In reply to Aaron Train [:aaronmt] from comment #3)
> It is suggested to file a bug-report over at
> https://adblockplus.org/forum/viewforum.php?f=11;

I disagree - this isn't an Adblock Plus bug. Adblock Plus has been signed correctly but that's not really the point. The problem here is rather that Firefox shouldn't attempt to validate the signature when displaying the extension icon. For reference, the corresponding bug in the desktop Firefox version is bug 726125 which has been resolved a while ago.

Note that my comment is based on the description from bug 901939 which has been resolved as a duplicate of this one - there isn't much of a description here.
Blocks: abp
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
Attached patch bug906402 (v0)Splinter Review
If you're saying that we can assume extension icons are trusted sources, we can bypass the security check done in Java and provide a working patch for consideration this way.
Comment on attachment 820696 [details] [diff] [review]
bug906402 (v0)

Ping mfinkle for feedback, not sure who to check with otherwise
Attachment #820696 - Flags: feedback?(mark.finkle)
Attached patch bug906402 (v1)Splinter Review
new version tightens it up a bit
Assignee: nobody → markcapella
Status: REOPENED → ASSIGNED
Attachment #821632 - Flags: review?(mark.finkle)
Attachment #820696 - Flags: feedback?(mark.finkle)
Comment on attachment 821632 [details] [diff] [review]
bug906402 (v1)

>+                        // Addons, extensions, etc

Let's make the comment a bit more descriptive:

// Don't attempt to validate the JAR signature when loading an add-on icon
Attachment #821632 - Flags: review?(mark.finkle) → review+
And on we go https://hg.mozilla.org/integration/fx-team/rev/06e480dedcb0
Adblock plus icons for everyone
https://hg.mozilla.org/mozilla-central/rev/06e480dedcb0
Status: ASSIGNED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 28
You need to log in before you can comment on or make changes to this bug.