Closed
Bug 968440
Opened 10 years ago
Closed 10 years ago
"getApp" webapps actor method responds for certified apps even when forbidden
Categories
(DevTools Graveyard :: WebIDE, defect)
DevTools Graveyard
WebIDE
Tracking
(b2g-v1.2 affected, b2g-v1.3 affected, b2g-v1.4 fixed)
RESOLVED
FIXED
Firefox 30
People
(Reporter: jryans, Assigned: jryans)
References
Details
(Whiteboard: [qa-])
Attachments
(1 file)
1.35 KB,
patch
|
ochameau
:
review+
|
Details | Diff | Splinter Review |
As part of expanding test coverage in bug 966039, I discovered the webapps actor's "getApp" method uses an incorrect check for whether certified apps are allowed or not, such that it always allows responding about certified apps, even when "devtools.debugger.forbid-certified-apps" is true (as it is by default). I don't believe this leaks any useful private information, however, so I've left this as a public issue. It's not possible to debug the apps or anything like that, as the "getAppActor" method checks correctly. The main thing is if you know the manifestURL of a certified app, now you could check to see if it is installed, and get information back like the following example: { "app": { "name": "Certified app", "installOrigin": "app://test-certified-id", "origin": "app://test-certified-id", "receipts": {}, "installTime": 1391635240790, "manifestURL": "app://test-certified-id/manifest.webapp", "appStatus": 3, "removable": true, "id": "test-certified-id", "localId": 1002, "basePath": "/var/folders/j6/jhbppx_x1050lwg8bmjxkt240000gp/T/tmpdAwMBV/webapps", "progress": 0, "installState": "installed", "downloadSize": 0, "installerAppId": 0, "installerIsBrowser": false, "storeId": "", "storeVersion": 0, "role": "", "redirects": null, "manifest": { "name": "Certified app", "description": "Testing webapps actor", "launch_path": "/index.html", "type": "certified" } }, "from": "conn0.webapps10" } This issue affects B2G 1.2+.
Assignee | ||
Updated•10 years ago
|
Assignee | ||
Comment 1•10 years ago
|
||
Comment 2•10 years ago
|
||
Comment on attachment 8371031 [details] [diff] [review] Update security check for getApp in webapps actor Review of attachment 8371031 [details] [diff] [review]: ----------------------------------------------------------------- Thanks! Are you able to enable the xpcshell? It seems to cover this function and would be cool to have a test running while landing a change on ti.
Attachment #8371031 -
Flags: review?(poirot.alex) → review+
Assignee | ||
Comment 3•10 years ago
|
||
Try: https://tbpl.mozilla.org/?tree=Try&rev=c88add5bdcc3
Assignee | ||
Comment 4•10 years ago
|
||
(In reply to Alexandre Poirot (:ochameau) from comment #2) > Comment on attachment 8371031 [details] [diff] [review] > Update security check for getApp in webapps actor > > Review of attachment 8371031 [details] [diff] [review]: > ----------------------------------------------------------------- > > Thanks! Are you able to enable the xpcshell? It seems to cover this function > and would be cool to have a test running while landing a change on ti. No hope yet for xpcshell, but adding mochitests in bug 966039.
Comment 5•10 years ago
|
||
Stéphanie, is it necessary to uplift this to 1.2 and 1.3?
Assignee | ||
Updated•10 years ago
|
Keywords: checkin-needed
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/fx-team/rev/a62c30cbf6ca
Keywords: checkin-needed
Whiteboard: [fixed-in-fx-team]
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a62c30cbf6ca
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [fixed-in-fx-team]
Target Milestone: --- → Firefox 30
Assignee | ||
Updated•10 years ago
|
Assignee | ||
Updated•10 years ago
|
Flags: needinfo?(stephouillon)
Comment 8•10 years ago
|
||
Since it is a sec-low issue, I don't think it qualifies to being backported.
Flags: needinfo?(stephouillon)
Updated•10 years ago
|
Whiteboard: [qa-]
Updated•6 years ago
|
Product: Firefox → DevTools
Updated•4 years ago
|
Product: DevTools → DevTools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•