Package: xul-ext-adblock-plus
Version: 2.2.4-1
Severity: normal
--- Please enter the report below this line. ---
Although this is disabled by default AdBlock will ask you if you want to enable
it when you typo a website for the first time. There is no indication that
enabling this feature would download a set of rules
from a remote website over HTTP!
In lib/typoRules.js typo correction rules are downloaded from a remote site
over http:
loadRulesFrom("http://urlfixer.org/download/rules.json?version="; +
RULES_VERSION, false, function(success)
This ruleset can contain arbitrary regular expressions that can rewrite URLs,
insert affiliate tags, etc.,
so controlling this ruleset would allow an attacker to control what websites
you are visiting.
Fixing this is unfortunately not as simple as using an https:// URL, as
although the website supports https the download URL no longer works for the
rules.json over HTTPS.
I'm not sure what the appropriate course of action would be, but here are some
suggestions:
* warn the user that enabling typo correction makes them vulnerable
* warn them that enabling typo correction might insert some affiliate tags
(see Monetization here:
https://adblockplus.org/blog/typo-correction-feature-in-adblock-plus)
* have upstream provide an HTTPs URL for the rules
* have a Debian package that provides the rules.json
--- System information. ---
Architecture: amd64
Kernel: Linux 3.9.5
Debian Release: jessie/sid
500 unstable ftp.ro.debian.org
500 stable security.debian.org
500 stable ftp.ro.debian.org
--- Package information. ---
Depends (Version) | Installed
========================-+-===========
iceweasel (>= 16.0) | 17.0.7esr-1
OR icedove (>= 16.0) | 17.0.5-2
OR iceape (>= 2.13) |
Package's Recommends field is empty.
Package's Suggests field is empty.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
