Package: xul-ext-adblock-plus Version: 2.2.4-1 Severity: normal --- Please enter the report below this line. ---
Although this is disabled by default AdBlock will ask you if you want to enable it when you typo a website for the first time. There is no indication that enabling this feature would download a set of rules from a remote website over HTTP! In lib/typoRules.js typo correction rules are downloaded from a remote site over http: loadRulesFrom("http://urlfixer.org/download/rules.json?version=" + RULES_VERSION, false, function(success) This ruleset can contain arbitrary regular expressions that can rewrite URLs, insert affiliate tags, etc., so controlling this ruleset would allow an attacker to control what websites you are visiting. Fixing this is unfortunately not as simple as using an https:// URL, as although the website supports https the download URL no longer works for the rules.json over HTTPS. I'm not sure what the appropriate course of action would be, but here are some suggestions: * warn the user that enabling typo correction makes them vulnerable * warn them that enabling typo correction might insert some affiliate tags (see Monetization here: https://adblockplus.org/blog/typo-correction-feature-in-adblock-plus) * have upstream provide an HTTPs URL for the rules * have a Debian package that provides the rules.json --- System information. --- Architecture: amd64 Kernel: Linux 3.9.5 Debian Release: jessie/sid 500 unstable ftp.ro.debian.org 500 stable security.debian.org 500 stable ftp.ro.debian.org --- Package information. --- Depends (Version) | Installed ========================-+-=========== iceweasel (>= 16.0) | 17.0.7esr-1 OR icedove (>= 16.0) | 17.0.5-2 OR iceape (>= 2.13) | Package's Recommends field is empty. Package's Suggests field is empty. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org