Closed
Bug 1167493
Opened 9 years ago
Closed 9 years ago
Application Reputation: disable remote lookup of zip files on Mac and Linux
Categories
(Toolkit :: Downloads API, defect)
Tracking
()
VERIFIED
FIXED
mozilla41
People
(Reporter: francois, Assigned: francois)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 1 obsolete file)
Until bug 1167040 is fixed, we should avoid remote lookups on Mac and Linux for zip files. My reasoning behind this quick work-around: - We have always (incorrectly) done remote lookup of all zip files on Windows, so it's not a regression on that platform. - If we disable all zip file remote lookups on Windows, we will miss some malware. - We've never had any remote lookups on Mac and Linux in release so even with zip files disabled, we're increasing the coverage on those platforms.
Assignee | ||
Comment 1•9 years ago
|
||
/r/9243 - Bug 1167493 - Application Reputation: disable remote lookup of zip files on Mac and Linux Pull down this commit: hg pull -r fcf2ae3fb6128fbe9839155b408d893fbf7c1c78 https://reviewboard-hg.mozilla.org/gecko/
Attachment #8609179 -
Flags: review?(gpascutto)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → francois
Status: NEW → ASSIGNED
Assignee | ||
Updated•9 years ago
|
QA Contact: mwobensmith
Comment 2•9 years ago
|
||
https://reviewboard.mozilla.org/r/9243/#review7927 Ship It!
Comment 3•9 years ago
|
||
Comment on attachment 8609179 [details] MozReview Request: bz://1167493/francois https://reviewboard.mozilla.org/r/9241/#review7929
Attachment #8609179 -
Flags: review?(gpascutto) → review+
Assignee | ||
Comment 5•9 years ago
|
||
[Tracking Requested - why for this release]: We're not supposed to send metadata about zip files to the remote lookup server unless they contain executable files. Since we are introducing remote lookups on Mac/Linux in 39, we should avoid doing the wrong thing there. On Windows, we've always done it wrong so we can wait for the proper fix as it's not a regression.
tracking-firefox39:
--- → ?
tracking-firefox40:
--- → ?
Comment 6•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/8eb4eb328849
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox41:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Tracking for Firefox40. Francois, could you also add a request to uplift this to mozilla-aurora? It's the tracking flag approval-aurora. Thanks. After this fix gets stabilized in FF40, we can consider tracking it for FF39. Leaving FF39 flag unchanged.
Comment 8•9 years ago
|
||
I don't mind just tracking it now for 39. Is this a regression on mac and linux? If so is it pretty recent? Do we know when it broke?
Flags: needinfo?(francois)
Comment 9•9 years ago
|
||
Verified fixed 2015-05-26. Monitoring network traffic before and after the patch shows that the safe browsing lookup no longer happens upon downloading the ZIP file.
Status: RESOLVED → VERIFIED
Updated•9 years ago
|
Assignee | ||
Comment 10•9 years ago
|
||
This is a regression in 39 on Mac/Linux because prior to bug 1111741 being fixed there were no download lookups at all on those platforms. Windows has always had them (wrongly), so it's not a regression.
Flags: needinfo?(francois)
Assignee | ||
Comment 11•9 years ago
|
||
Comment on attachment 8609179 [details] MozReview Request: bz://1167493/francois Approval Request Comment [Feature/regressing bug #]: https://bugzilla.mozilla.org/show_bug.cgi?id=1111741 [User impact if declined]: privacy leak as metadata about all downloaded zip files will be submitted to the remote lookup server. also, the service provider has asked us to avoid sending these lookups to their server. [Describe test coverage new/current, TreeHerder]: manual tests [Risks and why]: can't think of any. it only affects mac and linux and these platforms have never had remote lookups in a release. [String/UUID change made/needed]: none
Attachment #8609179 -
Flags: approval-mozilla-beta?
Attachment #8609179 -
Flags: approval-mozilla-aurora?
Updated•9 years ago
|
status-firefox39:
--- → affected
status-firefox40:
--- → affected
Comment 12•9 years ago
|
||
Comment on attachment 8609179 [details]
MozReview Request: bz://1167493/francois
Verified, low risk, new feature, taking it.
Attachment #8609179 -
Flags: approval-mozilla-beta?
Attachment #8609179 -
Flags: approval-mozilla-beta+
Attachment #8609179 -
Flags: approval-mozilla-aurora?
Attachment #8609179 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 15•9 years ago
|
||
Attachment #8609179 -
Attachment is obsolete: true
Attachment #8620351 -
Flags: review+
Assignee | ||
Comment 16•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•