Extensions InstallVerifier doesn't process invalid extension response from the server
Reported by
ivafa...@gmail.com,
Jun 21 2018
|
||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 YaBrowser/18.3.1.349 Yowser/2.5 Safari/537.36
Steps to reproduce the problem:
1. |InstallVerifier| performs request to a web server to check against invalid id.
2. web server makes response:
"""
{
"protocol_version": 1,
"invalid_ids": [<ext_id>]
}
"""
3. |InstallSigner| can not find a "signature" field in the response, so it threats response as invalid.
What is the expected behavior?
Either |InstallSigner| is able to parse responses without valid ids either web server produces responses with signature and expire date.
What went wrong?
Malware extension is not recognized.
WebStore page:
Did this work before? No
Chrome version: 64.0.3282.140 Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 30.0 r0
,
Jun 25 2018
,
Jun 26 2018
ivafanas@ Thanks for the issue. Request you to provide a sample extension where this issue can be reproduced which will help us in further triaging of the issue. Thanks..
,
Jun 27 2018
Hi Susan.
You may check any extension which id is not in chrome web store.
It is not critical to have an extension example, signing server deals with ids only. For example: mfakcejlogndbogfkbgenkbhdgofikgl
Chrome signing server receives POST requests in the following format:
// The request protocol is JSON of the form:
// {
// "protocol_version": "1",
// "hash": "<base64-encoded hash value here>",
// "ids": [ "<id1>", "id2" ]
// }
It can be found here:
https://cs.chromium.org/chromium/src/chrome/browser/extensions/install_signer.cc?dr&l=380
So, a request of kind:
{
"protocol_version": "1",
"hash": "<base64-encoded hash value here>",
"ids": [ "mfakcejlogndbogfkbgenkbhdgofikgl" ]
}
leads to a response without signature field which is not parsed by chrome code here:
https://cs.chromium.org/chromium/src/chrome/browser/extensions/install_signer.cc?dr&l=473
,
Jun 27 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by ivafa...@gmail.com
, Jun 21 2018