From 765406f5323117079d8d3de5b414f32c34757a9a Mon Sep 17 00:00:00 2001 From: FranklinDM Date: Mon, 30 May 2022 15:59:23 -0500 Subject: [Components:Addons] Guard against empty update manifest URL When installing an incompatible add-on, the add-ons manager checks first if a newer and compatible version of that add-on is available by sending a request either to the AUS or the provided update URL in the manifest. If there's no update URL in the manifest and if the application does not provide an add-on update URL via preferences, the add-ons manager will error out and fail to notify that the said add-on is incompatible. This commit addresses that by: (a) preventing substitutions on the update manifest URL - this throws an error if it's empty; and (b) failing early in the add-on update checker if the update manifest URL is empty and sends out an error notification --- components/addons/src/AddonUpdateChecker.jsm | 8 ++++++++ components/addons/src/XPIProvider.jsm | 6 +++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/components/addons/src/AddonUpdateChecker.jsm b/components/addons/src/AddonUpdateChecker.jsm index 0001f921a..596ac9dd4 100644 --- a/components/addons/src/AddonUpdateChecker.jsm +++ b/components/addons/src/AddonUpdateChecker.jsm @@ -590,6 +590,14 @@ function UpdateParser(aId, aUpdateKey, aUrl, aObserver) { let requireBuiltIn = Services.prefs.getBoolPref(PREF_UPDATE_REQUIREBUILTINCERTS, true); logger.debug("Requesting " + aUrl); + + if (!aUrl) { + logger.warn("Request failed: empty update manifest URL"); + this._doneAt = new Error("UP_emptyManifestURL"); + this.notifyError(AddonUpdateChecker.ERROR_DOWNLOAD_ERROR); + return; + } + try { this.request = new ServiceRequest(); this.request.open("GET", this.url, true); diff --git a/components/addons/src/XPIProvider.jsm b/components/addons/src/XPIProvider.jsm index 4d203b573..c5dcc7f9c 100644 --- a/components/addons/src/XPIProvider.jsm +++ b/components/addons/src/XPIProvider.jsm @@ -6098,7 +6098,11 @@ function UpdateChecker(aAddon, aListener, aReason, aAppVersion, aPlatformVersion if ("onUpdateAvailable" in this.listener) aReason |= UPDATE_TYPE_NEWVERSION; - let url = escapeAddonURI(aAddon, updateURL, aReason, aAppVersion); + // Don't perform substitutions on the update URL if we still don't + // have one at this point. + let url = updateURL ? + escapeAddonURI(aAddon, url, aReason, aAppVersion) : + updateURL; this._parser = AddonUpdateChecker.checkForUpdates(aAddon.id, aAddon.updateKey, url, this); } -- cgit v1.2.3