Ticket #4234: FFUpdate

File FFUpdate, 3.0 KB (added by gk, 7 years ago)
1In the FF update mechanism three parts are involved:
31) an update.xml probably on a remote server
42) the update .mar file probably on a remote server as well
53) code and preferences on the client side that drive the update process
7ad 1) Information regarding the format may be found at:
8  https://wiki.mozilla.org/Software_Update:updates.xml_Format
10ad 2) Useful links:
11  https://wiki.mozilla.org/Software_Update:HowToManuallyGenerateMARFiles
12  https://wiki.mozilla.org/UpdateGeneration
13  https://wiki.mozilla.org/Software_Update:Processing_Updates
14  http://old.nabble.com/Problem-creating-MAR-file.-td32154053.html
16ad 3) Relevant prefs that need to be handled:
17  app.update.cert.*.*
19  these prefs allow a "pinning" of certificates. More exactly, the code in
20  toolkit/mozapps/shared/CertUtils.jsm compares every preference value with
21  the counterpart in the certificate of the server hosting the update.xml
22  (provided "app.update.cert.checkAttributes" is "true"). See e.g. the AString
23  attributes in nsIX509Cert.idl for possible options.
25  Setting "app.update.cert.requireBuiltin" to "true" sounds not useful to me.
26  Even if one uses a CA with a "Builtin Object Token" there are still way to
27  much of it in Mozilla's root store to mitigate MITM attacks (if this even
28  was the intention of this pref).
30  It does not matter whether the pref "app.update.url" or
31  "app.update.url.override" gets used to point to the update.xml if one wants
32  the above described "cert pinning" feature as well. The source needs patches
33  in either case.
35  The patches:
36  Most of the small patches just replace the application version with the
37  JonDoBrowser version which is set by the JonDoFox extension (I've seen that
38  TorBrowser has a similar preference, thus this should be staightforward.
39  Maybe you have to doublecheck whether the current format of the TorBrowser
40  version pref is in the proper format to get used by Mozilla's version
41  comparator...)
42  The patch of nsUpdateDriver.cpp is neither working on all platforms nor
43  complete. The first part of the patch is not working on Mac OSX as two
44  directories above the appDir is not enough for the TBB update to get properly
45  applied. When I wrote the patch I did not have a working Mac to take that
46  into account and therefore treated all platforms in the same way. The second
47  part of the patch is not complete. I essentially commented the version check
48  out as the comparison with the pref is not working here. The problem is that
49  user defined prefs are not available yet (the code is running before a
50  profile is chosen and all its user defined prefs are initialized). The way to
51  go here is probably to use a environment variable (see e.g. the
52  MOZ_UPDATE_APPDIR_OVERRIDE check in the same file) but I have not tested it
53  yet.
56  There is a lot to do as the patches are nothing more than a PoC. Especially,
57  the post update code needs to get examined and patched where needed, other
58  code paths than the default one need to get adapted and above all the
59  robustness against attacks outlined in this bug needs to get examined.