Closed Bug 980355 Opened 11 years ago Closed 11 years ago

Plugin block: Cisco Jabber SDK for Web < 3.0.6

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
2014-06

People

(Reporter: benjamin, Assigned: jorgev)

References

Details

(Keywords: qawanted, Whiteboard: [kb=1398505])

Attachments

(2 files)

About_plugins_CWC_305.tiff
61.87 KB, image/tiff
Details
Screen Shot 2014-04-14 at 5.09.16 PM.png
121.41 KB, image/png
Details
See bug 980133 for details: we should issue a block for the Cisco Jabber SDK for Web plugin versions less than 3.0.6 because of a security issue. If this plugin is in plugincheck that should be updated as well. about:plugins details are in attachment 8386489 [details] from that bug. Cisco will do the QA for this once it is staged.
Flags: needinfo?(cbook)
Vibhavaree here are instructions for verifying the blocks: https://wiki.mozilla.org/Blocklisting/Testing Could you or your QA org verify that the blocks are working correctly for old versions of the plugin and don't affect the most recent version?
Flags: needinfo?(vgargeya)
hm so far this plugin is not in plugincheck, i tried to add/download this plugin but got " To Download this software, you must Log In and have a valid service contract associated to your Cisco.com profile." .. Would be helpful if someone could provide the information from http://ozten.com/random/perfidies/debug.html if we want to add this plugin to plugincheck
Flags: needinfo?(cbook)
Tomcat, I believe the information you need is found in the powerpoint attachment linked in comment 0.
(In reply to Benjamin Smedberg [:bsmedberg] from comment #4) > Tomcat, I believe the information you need is found in the powerpoint > attachment linked in comment 0. oh thanks. Could someone provide me with the exact version number of the vulnerable plugin. Plugincheck needs this because i can only mark "old" versions as vulnerable and from then the "new" version as latest
I don't understand the question. 3.0.6 is the good version, and 3.0.5 and all previous versions are the unsafe versions.
(In reply to Benjamin Smedberg [:bsmedberg] from comment #6) > I don't understand the question. 3.0.6 is the good version, and 3.0.5 and > all previous versions are the unsafe versions. according to the attached file the current version is 3.0.6.x and would be helpful for plugincheck if we know what the exact version number is for 3.0.5.x is
The release version for 3.0.5.x (also referred to as 9.2 MR5) is 3.0.5.156990
Flags: needinfo?(vgargeya)
We'd like the "update now" link that is presented in the click-to-activate dialog, and the add-on manager to point to a location that provides information on how users can get a later version of the plug-in. What's the process? Do we just send you the link?
That link is currently hard-coded to go the the Mozilla plugincheck page: http://www.mozilla.org/en-US/plugincheck/ Tomcat it working to add your plugin to plugincheck and that page can link to wherever you choose.
okay, thank you. we'll provide the link.
I tested on a Mac 10.9 to see if a 3.0.5 version of the plugin would be blocked. It was not blocked.
Added an attachment showing the about:plugins info for the 3.0.5 version of the plugin, as it appears in Firefox on a Mac 10.9.
Cisco Web Communicator File: CiscoWebCommunicator.plugin Path: /Library/Internet Plug-Ins/CiscoWebCommunicator.plugin Version: 3.0.5.156990 State: Enabled Cisco Unified Communication System Release 9.2 MR5 : CWC version 3.0.5.156990
Flags: needinfo?(jorge)
created the plugin now, let me know about the feedback also about the url form comment #11
Rich, can you confirm that you followed the steps on this page: https://wiki.mozilla.org/Blocklisting/Testing. Also, can you check your Firefox profile folder for file blocklist.xml and see if you find an entry with ID p545?
Flags: needinfo?(jorge) → needinfo?(ramerman)
Jorge, I tried out the Aurora channel, Firefox 29, and noticed that the plug-in block is working on Mac. I must have been doing something wrong for the Mac when trying to follow the Blocklisting Testing steps. I'm not concerned about it now, though. Thanks for following up :-)
Flags: needinfo?(ramerman)
We are working on getting a landing page up for the update url. will post when it is ready.
Can you let us know what version of Firefox this block will go live in? thank you.
Flags: needinfo?(jorge)
Tomcat, please give comment #19 a look. (In reply to vgargeya from comment #20) > Can you let us know what version of Firefox this block will go live in? > thank you. We will push the block live once the plugin update info is updated. It's a server-side change, so it doesn't need to align with a release. It will apply for all Firefox versions.
Flags: needinfo?(jorge) → needinfo?(cbook)
was this testing done, see comment #11 and was this ok for plugincheck ?
Flags: needinfo?(cbook)
See comment 10 - does plugin check now direct to the new landing page - https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and-test/voice-and-video/troubleshooting/#plugin_vulnerabilities_user ? If so, we can test it out. Tomcat, please confirm that the work to direct to link above is complete. we can test it out on allizom.
(In reply to vgargeya from comment #23) > See comment 10 - does plugin check now direct to the new landing page - > https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and- > test/voice-and-video/troubleshooting/#plugin_vulnerabilities_user ? > If so, we can test it out. Tomcat, please confirm that the work to direct to > link above is complete. we can test it out on allizom. Hi, should be all ready to test on https://www.mozilla.org/en-US/plugincheck/ (in about 30 minutes from now when the cache clears etc)
See comment #24
Flags: needinfo?(vgargeya)
I can't currently get Firefox to block the plugin. Briefly, I saw that it blocked the plugin, and the update link led to a page that said it could not find what was being looked for. I'd like to repro that situation, but currently Firefox is not having a problem with the plugin. Here is the string I am using for extensions.blocklist.url: https://addons-dev.allizom.org/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/ Is that the correct string? Is there something else I am supposed to be doing to access the staged block-ins?
The staging server has its DB synced every so often, so the blocks can disappear. Here they are again: https://addons-dev.allizom.org/en-US/firefox/blocked/p564 https://addons-dev.allizom.org/en-US/firefox/blocked/p566 Please give them a try as soon as possible.
Thanks, Jorge. I was able to get Firebox to block the Cisco Web Communicator plug-in. When I click the Update link on Windows, it takes me to https://addons-mozilla.org/en-US/firefox/blocked/p564, which does not exist. I suppose that makes sense, since it is the staging site at addons-dev.allizom.org that currently has p564 and p566 posted. However, we want the update link to go to: https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and-test/voice-and-video/troubleshooting/#plugin_vulnerabilities_user Can you please change the Update link to go to that url?
(In reply to Rich Amerman from comment #28) > When I click the Update link on Windows, it takes me to > https://addons-mozilla.org/en-US/firefox/blocked/p564, which does not exist. I'm not sure why that's happening. I *think* it should take to wherever the plugin finder service tells you. Benjamin, do you know?
Flags: needinfo?(benjamin)
The update link should currently always go to plugincheck (http://www.mozilla.org/en-US/plugincheck/). bug 873093 is on file to make that customizable from the blocklist but that appears to have stalled.
Flags: needinfo?(benjamin)
Thanks for the explanation, Benjamin. Just to make sure I understand, the flow we should expect to see, when the block for Cisco Web Communicator is deployed to production, is that the update link will go to plugincheck. From there, an update link for Cisco Web Communictor will go to the link we want, which is: https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and-test/voice-and-video/troubleshooting/#plugin_vulnerabilities_user Does that sound correct? Will there be a way for us to verify this while the block is still being staged?
Flags: needinfo?(benjamin)
That is correct. The interaction of plugincheck and the blocklist isn't ideal. Tomcat, is plugincheck live?
Flags: needinfo?(benjamin) → needinfo?(cbook)
yep see comment #24
Flags: needinfo?(cbook)
If I go to https://www.mozilla.org/en-US/plugincheck/ from a Windows 7 machine with Cisco Web Communicator installed, the page that comes up shows the plug-in as unknown, with a Research button, not an Update button. The Research button goes to a Google search of "current version plugin Cisco Web Communicator" Is that expected behavior at this stage of the roll-out of the plugin block? In case it matters, I also have extensions.block.url set to point to the addon-devs.allizom.org server, so that the plug-in is in fact blocked for Firefox on the machine.
Flags: needinfo?(cbook)
screenshot of the plugin database
Flags: needinfo?(cbook)
(In reply to Rich Amerman from comment #34) > If I go to https://www.mozilla.org/en-US/plugincheck/ from a Windows 7 > machine with Cisco Web Communicator installed, the page that comes up shows > the plug-in as unknown, with a Research button, not an Update button. The > Research button goes to a Google search of "current version plugin Cisco Web > Communicator" > > Is that expected behavior at this stage of the roll-out of the plugin block? > > In case it matters, I also have extensions.block.url set to point to the > addon-devs.allizom.org server, so that the plug-in is in fact blocked for > Firefox on the machine. was this with the latest plugin ? If this the plugin is blocked, this might affect plugincheck too
(In reply to Carsten Book [:Tomcat] from comment #36) > (In reply to Rich Amerman from comment #34) > > If I go to https://www.mozilla.org/en-US/plugincheck/ from a Windows 7 > > machine with Cisco Web Communicator installed, the page that comes up shows > > the plug-in as unknown, with a Research button, not an Update button. The > > Research button goes to a Google search of "current version plugin Cisco Web > > Communicator" > > > > Is that expected behavior at this stage of the roll-out of the plugin block? > > > > In case it matters, I also have extensions.block.url set to point to the > > addon-devs.allizom.org server, so that the plug-in is in fact blocked for > > Firefox on the machine. > > was this with the latest plugin ? If this the plugin is blocked, this might > affect plugincheck too Plugincheck shows the Cisco Web Communicator plug-in as unknown, whether the plug-in version is 3.0.5 (blocked) or 3.0.6 (unblocked).
Benjamin, Carsten, This is waiting on the update links in the block flow directing the user to https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and-test/voice-and-video/troubleshooting/#plugin_vulnerabilities_user ? If this can please be implemented, we can test it and close this out. Also we can get on a WebEx session if that is helpful. Just let me know and I can schedule it. Thank you, -Vibhavaree
Flags: needinfo?(vgargeya)
Flags: needinfo?(cbook)
Flags: needinfo?(benjamin)
jorge i guess this is more for you. (In reply to vgargeya from comment #38) > Benjamin, Carsten, > This is waiting on the update links in the block flow directing the user to > https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and- > test/voice-and-video/troubleshooting/#plugin_vulnerabilities_user ? > > If this can please be implemented, we can test it and close this out. > > Also we can get on a WebEx session if that is helpful. Just let me know and > I can schedule it. > > Thank you, > -Vibhavaree
Flags: needinfo?(cbook) → needinfo?(jorge)
cbook no, the builtin blocking only links to plugincheck. The problem seems to be that plugincheck is not taking these users to the correct URL. That is something you need to fix, AIUI.
Flags: needinfo?(jorge)
Flags: needinfo?(cbook)
Flags: needinfo?(benjamin)
Yes, we want "update now" links to take the user to - https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and-test/voice-and-video/troubleshooting/#plugin_vulnerabilities_user where they can get information on upgrading the plugin.
Spoke to Carsten on IRC this morning. I am going to get the current bug I worked on out the door and then implement what is requested here. One important thing to note here though is that we will need a way to test this to ensure this works as we expect (even though this feature will not be implemented just for this plugin). To this end, can someone point me to where I can get hold of the latest stable version of the plugin and then also, the vulnerable version mentioned here? Thanks!
Flags: needinfo?(vgargeya)
Flags: needinfo?(benjamin)
Flags: needinfo?(cbook)
espressive I'm confused. Plugincheck already has the ability to show an update link for plugins, no? I didn't think any coding would be necessary for this, just updating the database. In general, QA should be completed by Cisco. Bug 980133 has a download URL of http://software.cisco.com/download/release.html?mdfid=283882159&softwareid=283995793&release=9.0%25281%2529&relind=AVAILABLE&rellifecycle=&reltype=latest but I'm not sure which version that takes you to.
Flags: needinfo?(benjamin)
(In reply to Benjamin Smedberg [:bsmedberg] from comment #43) > espressive I'm confused. Plugincheck already has the ability to show an > update link for plugins, no? I didn't think any coding would be necessary > for this, just updating the database. > > In general, QA should be completed by Cisco. Bug 980133 has a download URL > of > http://software.cisco.com/download/release. > html?mdfid=283882159&softwareid=283995793&release=9. > 0%25281%2529&relind=AVAILABLE&rellifecycle=&reltype=latest but I'm not sure > which version that takes you to. Indeed it does, however, I am not 100% sure on which URL it is passed from the back-end. Looking at the DB the vulnerability_url points to the URL mentioned by vgargeya@cisco.com I am looking into this in more detail. The info I mentioned in comment 42 is still something being worked on but, I would have thought the current behaviour would be to use the vulnerability_url when the version is marked vulnerable unless, this entry in the DB is empty. Will update the bug with what I discover.
One question, where can I get a version of this plugin? It seems one needs to purchase it.
Schalk, you can obtain an evaluation version here - https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and-test/voice-and-video/downloads-and-docs/ Please see Plug-in section, Evaluation version toward the middle of the page. Further, you can download the SDK, which has a sample web application you can use to try out the plug-in.
Flags: needinfo?(vgargeya)
(In reply to vgargeya from comment #46) > Schalk, you can obtain an evaluation version here - > https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and- > test/voice-and-video/downloads-and-docs/ > Please see Plug-in section, Evaluation version toward the middle of the > page. > > Further, you can download the SDK, which has a sample web application you > can use to try out the plug-in. Thanks!
(In reply to vgargeya from comment #46) > Schalk, you can obtain an evaluation version here - > https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and- > test/voice-and-video/downloads-and-docs/ > Please see Plug-in section, Evaluation version toward the middle of the > page. On which platforms and browsers does the plugin work? Windows [versions?] Mac [versions?] Linux? Browsers? Thanks! At the moment, I am still seeing that the plugin is shown as unknown so, I am digging further. Thank you for your patience on this matter.
Assignee: jorge → schalk.neethling.bugs
So, I believe I found the reason why it is displayed as unknown. There are no mime types associated with the plugin entry. I am going to fix this in the DB and continue testing from there.
This pull request resolved the problem of reporting this plugin as unknown (there was some additional info needed in the DB as well). Once this has been merged, I will open the required PR against mozilla.org and update this bug once the changes are on stage for vgargeya to QA: https://github.com/ossreleasefeed/Perfidies-of-the-Web/pull/8
PR for Bedrock i.e. mozilla.org side of this is now open: https://github.com/mozilla/bedrock/pull/2076
Whiteboard: [kb=1398505]
Commits pushed to master at https://github.com/mozilla/bedrock https://github.com/mozilla/bedrock/commit/47184fca9317b44dfb09b8f748cbaab1b89168bb Fix Bug 980355, correct cisco communicator detection and use vulnerability urls when available https://github.com/mozilla/bedrock/commit/440fab0d61a1a84fcfe23525b6dc131df1fc0b63 Merge pull request #2076 from ossreleasefeed/bug980355-correct-cisco-web-communicator-reporting Fix Bug 980335, correct cisco communicator detection and use vulnerability urls when available
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Please test https://www.allizom.org/en-US/plugincheck/ and let me know whether we can keep this as fixed or whether you run into problems. Thanks!
Flags: needinfo?(vgargeya)
Looks mostly good, but I still notice one problem which still needs to be fixed. First the good behavior: I verified that https://www.allizom.org/en-US/plugincheck now links to the correct url if from there one hits the Update Now button for the Cisco Web Communicator plugin (Update Now button will be available for a version before 9.2 MR6)). The above is also true, I noticed, for https://www.mozilla.org/en-US/plugincheck. I also tested a path all the way from a web app attempting to load a 9.2 MR5 Cisco Web Communicator plugin (red lego piece > press Update Now Link > https://www.mozilla.org/en-US/plugincheck > press Update Now button for Cisco Web Communicator plugin > Cisco's desired URL). All worked well in that path. I also verified that https://www.mozilla.org/en-US/plugincheck considers plugin 9.2 MR6 to be up to date. The problem behavior: With the 9.2.5 Cisco Web Communicator plugin installed, I went to about:addons. I clicked the Update Now link for the Cisco Web Communicator plugin, and it took me to https://addons.mozilla.org/en-US/firebox/blocked/p564, which is not the correct URL. This seems like a perfectly valid user path, and so it should also send one to our desired URL as well.
Flags: needinfo?(schalk.neethling.bugs)
(In reply to Rich Amerman from comment #55) > > The problem behavior: > > With the 9.2.5 Cisco Web Communicator plugin installed, I went to > about:addons. I clicked the Update Now link for the Cisco Web Communicator > plugin, and it took me to > https://addons.mozilla.org/en-US/firebox/blocked/p564, which is not the > correct URL. > > This seems like a perfectly valid user path, and so it should also send one > to our desired URL as well. Regarding plugincheck on mozilla.org, all seems to be good so, I can ask for this to be pushed to production correct? With regards to about:addons, unfortunately that is not something I work on. Not sure who works on about:addons. I will do my best to figure out where this needs to be changed. Thank you for testing and your feedback.
Flags: needinfo?(schalk.neethling.bugs)
Hey there Jorge and Benjamin, could you have a look at the problem scenario described in https://bugzilla.mozilla.org/show_bug.cgi?id=980355#c55
Flags: needinfo?(jorge)
Flags: needinfo?(benjamin)
Thanks for following up on this. Schalk, in response to your question - "Regarding plugincheck on mozilla.org, all seems to be good so, I can ask for this to be pushed to production correct?" Yes, if pushing to production is fine. But, please dont close this issue out until the add-on page also links users to - https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and-test/voice-and-video/troubleshooting/#plugin_vulnerabilities_user Thank you, -Vibhavaree
Flags: needinfo?(vgargeya)
Thanks for following up on this. Schalk, in response to your question - "Regarding plugincheck on mozilla.org, all seems to be good so, I can ask for this to be pushed to production correct?" Yes, pushing to production is fine. But, please don't close this issue out until the add-on page also links users to - https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and-test/voice-and-video/troubleshooting/#plugin_vulnerabilities_user Thank you, -Vibhavaree
Since blocked plugins aren't necessarily supported in plugincheck, it makes sense to direct users to the blocklist page. That's where they are more likely to find the right link to update. We can add that link to the production block page, but we can't change the Add-ons Manager to point there directly.
Flags: needinfo?(jorge)
Flags: needinfo?(benjamin)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: schalk.neethling.bugs → jorge
So, are we okay to push the block live?
Jorge, can the update link please be placed on the blocklist page, if that is where users who click "update now" on the add-ons page will be directed to? Update link is - https://developer.cisco.com/site/collaboration/jabber/websdk/develop-and-test/voice-and-video/troubleshooting/#plugin_vulnerabilities_user thank you, -Vibhavaree
Yes, that's not a problem.
Great, Jorge, can we take a look at a staged version to make sure the flow is what we are expecting? thank you, -Vibhavaree
Jorge I think we've tested this sufficiently, please push it live.
The blocks are now live: https://addons.mozilla.org/en-US/firefox/blocked/p592 https://addons.mozilla.org/en-US/firefox/blocked/p594 They both link to the update link provided in comment #62.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2014-06
I've tested with our plug-in and Firefox version 30 on both Windows and Mac. The plug-in block is implemented properly, including links to the correct url from both the plugin check page and addons page. Thanks to all of you at Mozilla for your work on this!
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: