Re: note on gnome shell extensions

[Marcus Meissner <meissner () suse de>]

On Thu, Sep 13, 2012 at 05:39:57PM +0200, Tavis Ormandy wrote:
> On Mon, Sep 10, 2012 at 02:48:38PM -0600, Vincent Danen wrote:
> > * [2012-09-08 18:14:10 -0600] Kurt Seifried wrote:
> > SUSE has some interesting info in their bug:
> >
> > https://bugzilla.novell.com/show_bug.cgi?id=779473#c4
> >
> > By the sounds of it, this should be harmless.  Vincent Untz says that
> > the browser plugin doesn't actually install the extensions, it's passed
> > to another process via a dbus call to gnome-shell, which sends the uuid
> > of the extension to the extensions.gnome.org web site in order to
> > download the extension.
> >
> > See:
> >
> > http://git.gnome.org/browse/gnome-shell/tree/js/ui/shellDBus.js#n305
> > http://git.gnome.org/browse/gnome-shell/tree/js/ui/extensionDownloader.js#n27
> >
> > which is:
> >
> > let message = Soup.form_request_new_from_hash('GET', REPOSITORY_URL_INFO, params);
> >
> > And REPOSITORY_URL_INFO is hardcoded earlier:
> >
> > const REPOSITORY_URL_BASE = 'https://extensions.gnome.org';
> > const REPOSITORY_URL_DOWNLOAD = REPOSITORY_URL_BASE + '/download-extension/%s.shell-extension.zip';
> > const REPOSITORY_URL_INFO     = REPOSITORY_URL_BASE + '/extension-info/';
> > const REPOSITORY_URL_UPDATE   = REPOSITORY_URL_BASE + '/update-info/';
> >
> > I don't think this is something that can be exploited, based on the
> > above.
>
> Not sure I follow the logic, can't I just upload something malicious to
> extensions.gnome.org and then force you to download it? I mean, I can
> try it if you're not convinced it's possible.

There are supposed to be reviewers before it gets activated, but exactly
this concern Sebastian also voiced.
 
> They surely do not have a magical technique for determining if my code
> is or can become malicious.

Exactly.

Ciao, Marcus