968440 - "getApp" webapps actor method responds for certified apps even when forbidden

Status: RESOLVED FIXED

(DevTools Graveyard :: WebIDE, defect)

Description

[J. Ryan Stinnett [:jryans] (Use needinfo, replies may be slow)]

As part of expanding test coverage in bug 966039, I discovered the webapps actor's "getApp" method uses an incorrect check for whether certified apps are allowed or not, such that it always allows responding about certified apps, even when "devtools.debugger.forbid-certified-apps" is true (as it is by default).

I don't believe this leaks any useful private information, however, so I've left this as a public issue.  It's not possible to debug the apps or anything like that, as the "getAppActor" method checks correctly.  The main thing is if you know the manifestURL of a certified app, now you could check to see if it is installed, and get information back like the following example:

{
  "app": {
    "name": "Certified app",
    "installOrigin": "app://test-certified-id",
    "origin": "app://test-certified-id",
    "receipts": {},
    "installTime": 1391635240790,
    "manifestURL": "app://test-certified-id/manifest.webapp",
    "appStatus": 3,
    "removable": true,
    "id": "test-certified-id",
    "localId": 1002,
    "basePath": "/var/folders/j6/jhbppx_x1050lwg8bmjxkt240000gp/T/tmpdAwMBV/webapps",
    "progress": 0,
    "installState": "installed",
    "downloadSize": 0,
    "installerAppId": 0,
    "installerIsBrowser": false,
    "storeId": "",
    "storeVersion": 0,
    "role": "",
    "redirects": null,
    "manifest": {
      "name": "Certified app",
      "description": "Testing webapps actor",
      "launch_path": "/index.html",
      "type": "certified"
    }
  },
  "from": "conn0.webapps10"
}

This issue affects B2G 1.2+.

Comment 1

[J. Ryan Stinnett [:jryans] (Use needinfo, replies may be slow)]

Attachment: Update security check for getApp in webapps actor

Comment 2

[Alexandre Poirot [:ochameau]]

Comment on attachment 8371031 [details] [diff] [review]
Update security check for getApp in webapps actor

Review of attachment 8371031 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks! Are you able to enable the xpcshell? It seems to cover this function and would be cool to have a test running while landing a change on ti.

Comment 3

[J. Ryan Stinnett [:jryans] (Use needinfo, replies may be slow)]

Try: https://tbpl.mozilla.org/?tree=Try&rev=c88add5bdcc3

Comment 4

[J. Ryan Stinnett [:jryans] (Use needinfo, replies may be slow)]

(In reply to Alexandre Poirot (:ochameau) from comment #2)
> Comment on attachment 8371031 [details] [diff] [review]
> Update security check for getApp in webapps actor
> 
> Review of attachment 8371031 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Thanks! Are you able to enable the xpcshell? It seems to cover this function
> and would be cool to have a test running while landing a change on ti.

No hope yet for xpcshell, but adding mochitests in bug 966039.

Comment 5

[Paul Rouget [:paul]]

Stéphanie, is it necessary to uplift this to 1.2 and 1.3?

Comment 6

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/fx-team/rev/a62c30cbf6ca

Comment 7

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/a62c30cbf6ca

Comment 8

[Stephanie Ouillon [:arroway] (needinfo me)]

Since it is a sec-low issue, I don't think it qualifies to being backported.