Closed Bug 1155813 Opened 10 years ago Closed 10 years ago

Add the file hash as a GET parameter in its download URL to prevent CDN issues

Categories

(addons.mozilla.org Graveyard :: Admin/Editor Tools, defect)

Product:
addons.mozilla.org Graveyard
Component:
Admin/Editor Tools
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
2015-04

People

(Reporter: magopian, Assigned: magopian)

Details

When a file content is updated (eg when it's signed), we update its hash also. However, the CDN might continue caching the original file for 24 hours, while its hash is now changed.

This means the old file will still be provided, and also that the "install addon" will fail with a message saying that the addon wasn't downloaded because its content was different from what expected.

Adding the file hash as a GET parameter to the URL will prevent this issue.
PR: https://github.com/mozilla/olympia/pull/512

STR: check any url that points to the final xpi (not one that results in a redirect, like /latest/, but for example the "install button" links in the versions pages of any addon). It should end with "?filehash=<some hash>")
Fixed in https://github.com/mozilla/olympia/commit/9a56119e76bca12b9c27620754a6273309909df0
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Correction to the STR: the "?filehash=..." isn't visible straight away on AMO, it's when the url is redirected to the CDN that it appears. You'll need to either "curl" the url I was talking about and check the "location" part, or use an addon like "httpfox".

Example:
1/ go to https://addons-dev.allizom.org/en-US/firefox/addon/s3google-translator/versions/
2/ right click on the green "add to firefox" button and copy url
3/ use curl (or httpie) to query it:

(olympia)mathieu@shiny:~/olympia (master)$ http https://addons-dev.allizom.org/firefox/downloads/file/245148/s3google_translator-2.13-fx.xpi?src=version-history
HTTP/1.1 302 FOUND
Connection: keep-alive
Content-Security-Policy-Report-Only: script-src 'self' https://www.google.com https://mozorg.cdn.mozilla.net https://www.paypalobjects.com https://ssl.google-analytics.com https://addons-dev-cdn.allizom.org/user-media; default-src * data:; style-src * 'unsafe-inline'; frame-src https://ssl.google-analytics.com https://sandbox.paypal.com; object-src 'none'; report-uri /services/csp/report
Content-Type: text/html; charset=utf-8
Date: Fri, 17 Apr 2015 19:54:34 GMT
Location: https://addons-dev-cdn.allizom.org/user-media/addons/285546/s3google_translator-2.13-fx.xpi?filehash=sha256%3Ad64207f114795253e6823c548fd7d3d7f279038520a2f8d8ab1e295519874534
Server: nginx
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked
Vary: X-Mobile, User-Agent
Via: Moz-zlb10
X-Backend-Server: dev1
X-Frame-Options: DENY
X-Target-Digest: sha256:d64207f114795253e6823c548fd7d3d7f279038520a2f8d8ab1e295519874534

4/ check the "Location" header: it's the CDN url with the ?filehash=sha256%3Ad<the hash here>
5/ make sure the hash is the same as what's in the X-Target-Digest (the part after "sha256:")
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.