Security/Reviews/Balrog: Difference between revisions

Jump to navigation Jump to search

Security/Reviews/Balrog (view source)

Revision as of 10:06, 6 June 2013

12 bytes removed ,  6 June 2013
no edit summary
No edit summary
No edit summary
Line 8: Line 8:
Firefox client makes request to AUS service with 8-9 paremeters (eg  
Firefox client makes request to AUS service with 8-9 paremeters (eg  
/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml)
/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml)
|SecReview alt solutions=The current solution uses a large number of snippet files which are matched against the parameters.
|SecReview alt solutions=The current solution uses a large number of snippet files which are matched against the parameters.
If a file is matched then the XML version is returned.
If a file is matched then the XML version is returned.
Line 20: Line 19:
An attacker could intercept the binary request and serve malware on an untrusted network.
An attacker could intercept the binary request and serve malware on an untrusted network.
An attacker could discover a request that consumes a significant amount of processing power on the Public nodes which could enable a DOS attack.
An attacker could discover a request that consumes a significant amount of processing power on the Public nodes which could enable a DOS attack.
}}
}}
{{SecReviewActionStatus
{{SecReviewActionStatus
|SecReview action item status=In Progress
|SecReview action item status=In Progress
|Feature version=Q2 goal for live in nightly channel
|Feature version=Q2 goal for live in nightly channel
|SecReview action items=* bhearsum :: Are MAR signatures checked on all platforms? Only on windows, but hashes checked on all platforms
|SecReview action items=bhearsum :: Are MAR signatures checked on all platforms? Only on windows, but hashes checked on all platforms
* releng :: whitelisting URLs that we point to
releng :: whitelisting URLs that we point to
* releng :: notifications upon human addition (maybe change too?) of a release
releng :: notifications upon human addition (maybe change too?) of a release
* bhearsum :: db dump w/ instructions on how to use
bhearsum :: db dump w/ instructions on how to use
* psiinon :: pentest admin UI
psiinon :: pentest admin UI
}}
}}
Links:
Links:
* https://bugzilla.mozilla.org/show_bug.cgi?id=832462 Balrog SecReview bug
* https://bugzilla.mozilla.org/show_bug.cgi?id=832462 Balrog SecReview bug
* https://bugzilla.mozilla.org/show_bug.cgi?id=832454 Tracking bug for getting Firefox's "nightly" channel updating through balrog
* https://bugzilla.mozilla.org/show_bug.cgi?id=832454 Tracking bug for getting Firefox's "nightly" channel updating through balrog
Psiinon
Confirmed users
133

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/664046"

Navigation menu