User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release) Build ID: 20131212030202 Steps to reproduce: I tried some random digits at place of 'X' in https://marketplace.firefox.com/downloads/file/XXXXXX' Actual results: I was able to download source code of few of apps. Expected results: It should not allow anyone to download source code of any app. Only authorized person should be able to download his apps.
You can try with https://marketplace.firefox.com/downloads/file/234420
This is essentially like using view-souce in a web page as this is how web apps are packaged. These files contain the resources (ulrs, etc) for the app and it's manifest. This is not the source code for the app.
(In reply to Curtis Koenig [:curtisk] from comment #2) > This is essentially like using view-souce in a web page as this is how web > apps are packaged. These files contain the resources (ulrs, etc) for the app > and it's manifest. This is not the source code for the app. Just to clarify: This IS the source code for the app - or rather this is the app itself. This URL is used as part of the install process. As an example: When you click install a PACKAGED app (i.e. not a hosted one), a manifest.webapp file is downloaded such as: https://marketplace.firefox.com/app/956189a1-c985-4824-85a9-de708d38d6f9/manifest.webapp Inside this file is a "package_path" which contains the path to the app: https://marketplace.firefox.com/downloads/file/237117/connecta2-009.zip As it turns out, marketplace will let you specify anything after the number and that will be used a filename. The content type is always application/zip though so I can't think of any issues with this. So bottom line, this is the URL used to install the app. We could make it less predictable, but it would always be possible just to crawl the marketplace and download all apps that way.
Thanks for filing this bug. As was mentioned above, these are packages of client-side code and shouldn't contain anything secret. I agree this is not a security bug. That said, I'm going to reopen it because I'd like to fix it, particularly in the case of paid apps where we prevent downloading until a user has paid.
I have one more doubt that if its fine to get source code of any app then it should also be possible for everyone to know the app number(which is what XXXXXX in https://marketplace.firefox.com/downloads/file/XXXXXX). What you people say?
app number isn't a secret
How do I find app number of any app ?
(In reply to Wil Clouser [:clouserw] from comment #4) > That said, I'm going to reopen it because I'd like to fix it, particularly > in the case of paid apps where we prevent downloading until a user has paid. The receipt is the proof of purchase, not the download. Saying that, I think people will repeatedly file this bug, so its better to try and prevent it.
Yep, receipts have and will always be the protective mechanism against freeloaders using paid apps. Once one person buys an app, they could copy the source code from their device and give it to someone else but a copied receipt is detectable (when validated server side). However, I agree that protecting paid app source code is a good idea if only as a defense-in-depth strategy. Some devs are inevitably going to be careless about validating receipts so it will protect them a little bit.
https://github.com/mozilla/zamboni/pull/1608 And of course this doesn't help at all with hosted apps who really, really should be using receipts but there you go.
Man I'm on a winning streak this week. The problem here is that when we call install cookies are not passed on to the install request. Which means we've got no authentication and with no authentication we have no idea if they've paid or not. https://github.com/mozilla/zamboni/commit/2a6a62
Uhm for example my app are on Github so i think that it's better a field for insert the link of the site of the repo (issues, wiki etc) than an automatic download by the marketplace.
We'll go for receipts being the protection mechanism.