Closed Bug 1146911 Opened 9 years ago Closed 3 months ago

Malicious files are successfully downloaded through a download area using SSL enabled protocol.

Categories

(Firefox :: Downloads Panel, defect)

38 Branch
defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: VarCat, Unassigned)

References

Details

Attachments

(1 file)

FF 38
Build id: 20150323004010
OS: Win 7 x64, Ubuntu 14.04 x86, Mac Os X 10.7.5

STR:

1. Go to http://www.eicar.org/85-0-Download.html
2. Download eicar.com from "Download area using the secure, SSL enabled protocol https" section (eg: https://secure.eicar.org/eicar.com)

Issue:
The file is successfully downloaded without being blocked.
Monica, do you know if the integrity check is bypassed for SSL downloads?
Flags: needinfo?(mmc)
No, it is not skipped for SSL downloads. Francois is asking Google to put that download on their blocklist. Note that Chrome seems to be showing the POTENTIALLY_UNWANTED warning which we don't yet implement, but could now that the quarantine is implemented (see https://bugzilla.mozilla.org/show_bug.cgi?id=1019933).
Flags: needinfo?(francois)
Also related is that we don't currently do remote metadata lookups for Mac and Linux: https://bugzilla.mozilla.org/show_bug.cgi?id=1111741
True, seems like comment 0 tried it out on Windows though.
Flags: needinfo?(francois)
Depends on: 1019933
No longer depends on: 1019933
Severity: normal → S3

This issue no longer occurs in our latest build 123.0.1, Firefox will fail to download that file, Also if its starts to download the file is automatically deleted and never saved on the computer.

Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: