Adblock Plus and (a little) more
Finding security issues in a website (or: How to get paid by Google) · 2010-12-11 01:40 by Wladimir Palant
I received a payment over $2,500 from Google today. Now the conspiracy theorists among you can go off and rant in all forums that Adblock Plus is sponsored by Google and can no longer be trusted. For those of you who are still with me: the money came though Google’s Vulnerability Reward Program. Recently Google extended the scope of the program to web applications. I took up the challenge and sure enough, in a few hours I found four vulnerabilities in various corners of google.com.
Status update: 2010-12-03 · 2010-12-08 00:44 by Wladimir Palant
Done
- Changed plans for Adblock Plus 1.3.5 — a release in December is unrealistic
- Investigated an issue breaking Java applets when Adblock Plus is installed, probably the same one that is being reported for Pogo.com. Filed bug 616106.
- Got rid of “invalid XBL binding” warning in Firefox 4
- Made sure leak testing tools don’t get confused by Adblock Plus (reporting a non-existent leak)
- Spent some time investigating the memory leak I am observing in my Firefox — couldn’t find anything with the tools I tried, still unsure whether this leak is related to Adblock Plus
- Tried improving 16×16 Adblock Plus icon (will become the most used icon in Firefox 4), with very little success
- Started looking into JSHydra for automated code rewriting
Rewriting JavaScript code with JSHydra · 2010-12-07 20:15 by Wladimir Palant
I was thinking about possible ways to rewrite Adblock Plus code automatically. One way to use it would be the online tool to find redundant filters. Due to its use of Adblock Plus code (which requires JavaScript 1.7) this tool would only work in Firefox. I didn’t really want to give up the convenient features of JavaScript 1.7, neither did I want to fork my code for this web tool which I would need to sync up regularly. Automated rewriting is really the only option but it is usually too complicated.
Status update: 2010-11-26 · 2010-11-26 20:49 by Wladimir Palant
Worked 4.5 days on Adblock Plus this week.
Done
- Finished refactoring of Python scripts used on adblockplus.org. From what I can tell, security best practices are followed everywhere so I made the corresponding Mercurial repository visible.
- Added more information to status reports that will hopefully make dealing with pop-ups easier.
- Disallowed sending issue reports with some configurations to prevent useless reports.
- Implemented a faster filter matching algorithm (filter subscriptions need to adapt before we get all the performance advantages here).
- Set up an Anwiki instance for easylist.adblockplus.org (still needs some theme tuning, this is up to Michael).
- Finally reproduced and fixed the issue with element hiding rules not applying after an exception (regression in Adblock Plus 1.3)
- Fixed script generating nightly builds: removing old builds worked incorrectly and caused the script to remove a 1.3.5a build while leaving 1.3a builds in the directory.
Status update: 2010-11-19 · 2010-11-26 16:35 by Wladimir Palant
Done
- Added a way to change status of a issue reports, with an optional notification sent out to the user.
- Improved sorting of report columns.
- More discussions on issue reporter improvements.
In progress
- Refactoring of Python scripts used on adblockplus.org to make them easier to change and maintain.
Status update: 2010-11-14 · 2010-11-26 16:21 by Wladimir Palant
Worked 4 days on Adblock Plus this week.
Done
- Subscription authors are now getting notifications about new issue reports, choosing between daily and weekly digests is also possible.
- Added sorting functionality to report columns.
- Implemented a bunch of improvements to the digest emails to allow spotting “good” reports more easily.
- Discussed a bunch of other improvement proposals for issue reports.
- Looked into issues that people using icon with text are experiencing – found an undocumented solution, let’s hope that it won’t break with the next Firefox release.
- Fixed toolbar icon in SeaMonkey Mail nightlies (nobody reported this issue, I guess nobody noticed?).
Comments are now automatically disabled after 6 weeks · 2010-11-24 15:42 by Wladimir Palant
For a long time the policy for this blog was: comments are always welcome. However, I noticed that there are some discussions going on in several years old blog posts that I am not really following any more. And I started thinking: what was the last time that a genuinely useful comment was received on an older blog post? I mean, a comment that wasn’t spam, off-topic, rehashing of arguments that have been mentioned years ago, something that would be better off in the forum. And I don’t remember when this happened the last time. Typically, all the useful comments arrive in the first few weeks after the article is posted and after that it’s only stuff that nobody will ever read (not even me). So: sorry, comments will now be automatically disabled on blog posts that are older than 6 weeks. If somebody stumbles upon my blog by following a random link, he/she is probably better off creating a forum post rather than commenting in the blog.
Newsletter for subscription authors #1: Adblock Plus 1.3 and beyond · 2010-11-09 17:16 by Wladimir Palant
This mail provides important information for filter subscription authors about Adblock Plus 1.3, changes expected in Adblock Plus 1.4 release and Firefox 4.
Status update: 2010-11-05 · 2010-11-05 21:12 by Wladimir Palant
Worked 4 days on Adblock Plus this week. The releases on Tuesday/Wednesday were very stressful, so I am slowing down.
Done
- Adblock Plus 1.3/1.3.1, Element Hiding Helper 1.1, Diagnostics 1.1.3 released
- Fixed a few minor issues reported for these releases, nothing critical so far
- Created an extension to generate Adblock Plus screenshots, used it to update screenshots/“translate” them to more languages
- Caught up with forum/email again, somewhat
Expected server downtime · 2010-11-05 14:02 by Wladimir Palant
The server will be unreachable for some time later today. This is necessary to move adblockplus.org to a more powerful server which should hopefully resolve the connectivity issues lately. Everything should be done within 30 minutes. However, it might happen that the IP address of the server changes — in this case it will take a while until everybody can reach the server again (due to DNS caching).