Closed Bug 1302211 Opened 8 years ago Closed 8 years ago

Sync download protection code with Chrome

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla51

Tracking Flags:

Tracking

Status

firefox51

---

fixed

People

(Reporter: francois, Assigned: francois)

Details

Attachments

(3 files)

Bug 1302211 - Import latest Safe Browsing CSD file from Chrome. 8 years ago François Marier [:francois] 58 bytes, text/x-review-board-request	gcp : review+	Details
Bug 1302211 - Remove .osx extension from download protection. 8 years ago François Marier [:francois] 58 bytes, text/x-review-board-request	gcp : review+	Details
Bug 1302211 - Sync file extension list with Chrome. 8 years ago François Marier [:francois] 58 bytes, text/x-review-board-request	gcp : review+	Details

François Marier [:francois]

Assignee

Description

•

8 years ago

Chrome has updated the Application Reputation protobuf file to make the verdict optional to make it future-proof: https://codereview.chromium.org/2292963004/

They are also removing the .osx file extension: https://bugs.chromium.org/p/chromium/issues/detail?id=641614

François Marier [:francois]

Assignee

Comment 1

•

8 years ago

For the rest of the extensions (https://cs.chromium.org/chromium/src/chrome/browser/resources/safe_browsing/download_file_types.asciipb), Chrome only does remote verification for file extensions marked as FULL_PING.

The DangerLevel determines the behavior of the browser when an UNKNOWN verdict is received. We don't currently make use of this information and treat UNKNOWN as SAFE.

Comment hidden (mozreview-request)

Review commit: https://reviewboard.mozilla.org/r/78282/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/78282/

Comment hidden (mozreview-request)

https://bugs.chromium.org/p/chromium/issues/detail?id=641614

Review commit: https://reviewboard.mozilla.org/r/78284/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/78284/

Comment hidden (mozreview-request)

Directly executable file types were added and types that Chrome
doesn't submit to the remote server were removed.

PDF is retained for now and many archive types are commented-out.

https://cs.chromium.org/chromium/src/chrome/browser/resources/safe_browsing/download_file_types.asciipb

Review commit: https://reviewboard.mozilla.org/r/78286/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/78286/

François Marier [:francois]

Assignee

Updated

•

8 years ago

Assignee: nobody → francois

Priority: -- → P2

François Marier [:francois]

Assignee

Updated

•

8 years ago

Status: NEW → ASSIGNED

Gian-Carlo Pascutto [:gcp]

Comment 5

•

8 years ago

mozreview-review

Comment on attachment 8790503 [details]
Bug 1302211 - Import latest Safe Browsing CSD file from Chrome.

https://reviewboard.mozilla.org/r/78282/#review77396

rs+

Attachment #8790503 - Flags: review?(gpascutto) → review+

Gian-Carlo Pascutto [:gcp]

Comment 6

•

8 years ago

mozreview-review

Comment on attachment 8790504 [details]
Bug 1302211 - Remove .osx extension from download protection.

https://reviewboard.mozilla.org/r/78284/#review77398

Attachment #8790504 - Flags: review?(gpascutto) → review+

Gian-Carlo Pascutto [:gcp]

Comment 7

•

8 years ago

mozreview-review

Comment on attachment 8790505 [details]
Bug 1302211 - Sync file extension list with Chrome.

https://reviewboard.mozilla.org/r/78286/#review77402

::: toolkit/components/downloads/ApplicationReputation.cpp:452
(Diff revision 1)
> -    StringEndsWith(fileName, NS_LITERAL_STRING(".dll")) || // Windows
> +    StringEndsWith(fileName, NS_LITERAL_STRING(".dll")) || // Windows executable
>      StringEndsWith(fileName, NS_LITERAL_STRING(".dmg")) || // Mac disk image
>      StringEndsWith(fileName, NS_LITERAL_STRING(".dmgpart")) || // Mac disk image
> -    //StringEndsWith(fileName, NS_LITERAL_STRING(".docb")) ||
> -    StringEndsWith(fileName, NS_LITERAL_STRING(".docm")) || // MS Word
> -    StringEndsWith(fileName, NS_LITERAL_STRING(".docx")) || // MS Word
> +    //StringEndsWith(fileName, NS_LITERAL_STRING(".docb")) || // MS Office
> +    //StringEndsWith(fileName, NS_LITERAL_STRING(".docm")) || // MS Word
> +    //StringEndsWith(fileName, NS_LITERAL_STRING(".docx")) || // MS Word

"Huh"

No more afraid of Office Macros?

Gian-Carlo Pascutto [:gcp]

Comment 8

•

8 years ago

mozreview-review

Comment on attachment 8790505 [details]
Bug 1302211 - Sync file extension list with Chrome.

https://reviewboard.mozilla.org/r/78286/#review77406

Attachment #8790505 - Flags: review?(gpascutto) → review+

François Marier [:francois]

Assignee

Comment 9

•

8 years ago

(In reply to Gian-Carlo Pascutto [:gcp] from comment #7)
> > -    //StringEndsWith(fileName, NS_LITERAL_STRING(".docb")) ||
> > -    StringEndsWith(fileName, NS_LITERAL_STRING(".docm")) || // MS Word
> > -    StringEndsWith(fileName, NS_LITERAL_STRING(".docx")) || // MS Word
> > +    //StringEndsWith(fileName, NS_LITERAL_STRING(".docb")) || // MS Office
> > +    //StringEndsWith(fileName, NS_LITERAL_STRING(".docm")) || // MS Word
> > +    //StringEndsWith(fileName, NS_LITERAL_STRING(".docx")) || // MS Word
> 
> "Huh"
> 
> No more afraid of Office Macros?

I was also surprised, but Chrome doesn't send them through the remote lookup server:

  # OOXML MS Office files.  These can embed executables, but they don't
  # execute automatically when opened.  These are here to produce UMA metrics.

https://cs.chromium.org/chromium/src/chrome/browser/resources/safe_browsing/download_file_types.asciipb?l=1131

Pulsebot

Comment 10

•

8 years ago

Pushed by fmarier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/248f9c35af3a
Import latest Safe Browsing CSD file from Chrome. r=gcp
https://hg.mozilla.org/integration/autoland/rev/262d65accc67
Remove .osx extension from download protection. r=gcp
https://hg.mozilla.org/integration/autoland/rev/6795bb0cdda6
Sync file extension list with Chrome. r=gcp

Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)

Comment 11

•

8 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/248f9c35af3a
https://hg.mozilla.org/mozilla-central/rev/262d65accc67
https://hg.mozilla.org/mozilla-central/rev/6795bb0cdda6

Status: ASSIGNED → RESOLVED

Closed: 8 years ago

status-firefox51: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla51

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Sync download protection code with Chrome

Categories

(Toolkit :: Safe Browsing, defect, P2)

Tracking

()

People

(Reporter: francois, Assigned: francois)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(3 files)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Updated

Comment 5

Comment 6

Comment 7

Comment 8

Comment 9

Comment 10

Comment 11

Attachment

General

Description

File Name

Content Type