Closed Bug 299479 Opened 19 years ago Closed 18 years ago

Missing version number validation leads potential path traversal and other troubles

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Developer Pages
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ma1, Assigned: fligtar)

References

(
URL
)

Details

(Whiteboard: verify that this is no longer a threat, then resolve)

Attachments

(2 obsolete files)

We don't validate version numbers extracted from extension manifest. We use that number to form a file name: using meta characters in version number can lead to weird (or dangerous) results. This is not as severe as bug #298756, because patch of that bug (attachment #187287) prevents uploading of files that are not xpi nor jars. Nevertheless, there's potential for directory traversal which may be exploited e.g. to overwrite already approval extensions skipping review.
Attached patch Version number validation (obsolete) (deleted) — Splinter Review
Attachment #188056 - Flags: first-review?(cst)
Comment on attachment 188056 [details] [diff] [review] Version number validation I'd like it if the die message told the user how to make the version number valid. r=cst
Attachment #188056 - Flags: first-review?(cst) → first-review+
(In reply to comment #2) > (From update of attachment 188056 [details] [diff] [review] [edit]) > I'd like it if the die message told the user how to make the version number > valid. I wouldn't, because I don't trust an extension developer which doesn't read the relevant documentation and know how a version number should be ;)
Attached patch Better indentation + link to reference doc (obsolete) (deleted) — Splinter Review
Attachment #188056 - Attachment is obsolete: true
Attachment #188295 - Flags: first-review?(mconnor)
Group: webtools-security → update-security
how did it end?
Status: NEW → ASSIGNED
Comment on attachment 188295 [details] [diff] [review] Better indentation + link to reference doc man, I could bitch about style, but its AMO 1.0, style is irrelevant here.
Attachment #188295 - Flags: first-review?(mconnor) → first-review+
Comment on attachment 188295 [details] [diff] [review] Better indentation + link to reference doc This patch is no longer valid, this section of code was rewritten.
Attachment #188295 - Attachment is obsolete: true
Assignee: g.maone → nobody
Status: ASSIGNED → NEW
Whiteboard: verify that this is no longer a threat, then resolve
Target Milestone: 1.0 → 2.0
Assignee: nobody → fligtar
Depends on: remora-dev
OS: Windows XP → All
Target Milestone: 2.0 → 3.0
The regex and link in the patch have been added in Remora.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
I think that this should be made public by now.
Flags: needinfo?(amuntner)
Group: client-services-security
Flags: needinfo?(amuntner)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: