User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0 When Firefox searches for extension updates, he may download software from sites not listed in the whitelist without warning. We do not no how safe these sites are. One can thus imagine a malicious hacker that makes an intrusion on such a site to replace the extension or even just the software update download site that the extension provides. All further updates would then download malicious software if not aldready done. NB: indeed I found myself upgrading Tab Browser Preferences from the supposed author site and then had my Firefox work very bad. I had to uninstall and re-install from the official Mozilla site so now I take care of upgrading from the official extension site only. NB2: I didn't find any bug report about this topic, so I hope this no duplicate! Reproducible: Always Steps to Reproduce: 1. install extensions from the Mozilla site (e.g. Tab Browser Preferences) and restart 2. make Firefox search for extension updates 3. agree to update Actual Results: software updates are installed without warning about the fact that the download site does not belong to the list of trusted extension sites Expected Results: Firefox should warn and discourage to use such sites

We are updating the update.mozilla.org hosting policy and one of the requirements will be that extensions we host must only update from our site. Authors will of course be free to host versions elsewhere that update from where they like (for example, development versions might update from the developers own site). This may be a dupe but I couldn't find it. Possibly it only exists on the in-progress policy document in which case this bug is a useful reminder.

Still waiting on the policy doc. Setting it to block this bug. The code will go somewhere around http://lxr.mozilla.org/update1.0/source/developers/additem.php#88

The extension update url should not be overwritten until UMO can get it's review turnaround down. It's 1 week+ at the moment and getting worse. It it's not closer to 24 hours, overwriting the update url will be a hindrance to extension authors who want to get security fixes out quickly.

While this makes sense from a security standpoint, this will be a pain in the ass for extension authors. I for one don't use UMO's update functionallity for a few different reasons 1) Review turn around as mentioned in comment #3 2) States, I like to know how many users are indeed upgrading, as this reflects what kind of backwards compatibility my extensions should offer, and who I'm tailoring to. 3) UMO instability, if UMO ever goes down or defunct (has happened in the past), all my end users will be stuck.

(In reply to comment #4) > While this makes sense from a security standpoint, this will be a pain in the > ass for extension authors. I reckon security is more important here. 1) Turnaround has improved greatly. 2) UMO could provide statistics to developers on this. 3) As mozilla and umo grow I doubt this will be acceptable in future.

(In reply to comment #4) > While this makes sense from a security standpoint, this will be a pain in the > ass for extension authors. To me security issues are much much more important than extension developer comfort! Developers should all be aware of all kind of security issues and understand why they cannot do whatever they want or would like to. If they really want to keep working for the community they *must* adopt a safe and professional behaviour. Perhaps some tools are missing but I must say I really don't like the idea that UMO downloaded extensions could update from anywhere else even in case of critical bugs. Who could have had enough time to check the patched code? I would rather prefer a kind of alert message that encourages users to disable extensions or force disabling them while the code gets patched. There are a lot of people waiting for Mozilla and its community to make mistakes, please don't give them opportunities... It's so good job!

This has been drafted here http://wiki.mozilla.org/Update:Requirements/LegalAndReview Currently some reviewers are denying addons with external updateurls, but it should be coded into the site so it automatically checks install.rdf when a developer uploads the addon Upping severity as this is a major security issue and I agree with Jean-Michel (comment #7) > (...) There are a lot > of people waiting for Mozilla and its community to make mistakes, please don't > give them opportunities...

morgamic - Now that we're enforcing this rule, we really need to automate it.

Picking this back up.

Comment on attachment 208163 [details] [diff] [review] check for updateURL -- didn't know there was already a patch here I'll be adventerous and commit this. It's simple enough.

Thank you very much sir. http://forums.mozillazine.org/viewtopic.php?p=2010399

Just changing the summary because I'm really tired of searching for the old one.