Closed Bug 1167493 Opened 5 years ago Closed 5 years ago

Application Reputation: disable remote lookup of zip files on Mac and Linux

Categories

(Toolkit :: Downloads API, defect)

39 Branch
defect
Not set
normal

Tracking

()

VERIFIED FIXED
mozilla41
Tracking Status
firefox39 + fixed
firefox40 + fixed
firefox41 --- verified

People

(Reporter: francois, Assigned: francois)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

Until bug 1167040 is fixed, we should avoid remote lookups on Mac and Linux for zip files.

My reasoning behind this quick work-around:

- We have always (incorrectly) done remote lookup of all zip files on Windows, so it's not a regression on that platform.
- If we disable all zip file remote lookups on Windows, we will miss some malware.
- We've never had any remote lookups on Mac and Linux in release so even with zip files disabled, we're increasing the coverage on those platforms.
/r/9243 - Bug 1167493 - Application Reputation: disable remote lookup of zip files on Mac and Linux

Pull down this commit:

hg pull -r fcf2ae3fb6128fbe9839155b408d893fbf7c1c78 https://reviewboard-hg.mozilla.org/gecko/
Attachment #8609179 - Flags: review?(gpascutto)
Assignee: nobody → francois
Status: NEW → ASSIGNED
QA Contact: mwobensmith
Comment on attachment 8609179 [details]
MozReview Request: bz://1167493/francois

https://reviewboard.mozilla.org/r/9241/#review7929
Attachment #8609179 - Flags: review?(gpascutto) → review+
[Tracking Requested - why for this release]: We're not supposed to send metadata about zip files to the remote lookup server unless they contain executable files. Since we are introducing remote lookups on Mac/Linux in 39, we should avoid doing the wrong thing there. On Windows, we've always done it wrong so we can wait for the proper fix as it's not a regression.
https://hg.mozilla.org/mozilla-central/rev/8eb4eb328849
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Tracking for Firefox40. Francois, could you also add a request to uplift this to mozilla-aurora? It's the tracking flag approval-aurora. Thanks.

After this fix gets stabilized in FF40, we can consider tracking it for FF39. Leaving FF39 flag unchanged.
I don't mind just tracking it now for 39. 
Is this a regression on mac and linux?  If so is it pretty recent? Do we know when it broke?
Flags: needinfo?(francois)
Verified fixed 2015-05-26. 

Monitoring network traffic before and after the patch shows that the safe browsing lookup no longer happens upon downloading the ZIP file.
Status: RESOLVED → VERIFIED
This is a regression in 39 on Mac/Linux because prior to bug 1111741 being fixed there were no download lookups at all on those platforms. Windows has always had them (wrongly), so it's not a regression.
Flags: needinfo?(francois)
Comment on attachment 8609179 [details]
MozReview Request: bz://1167493/francois

Approval Request Comment
[Feature/regressing bug #]: https://bugzilla.mozilla.org/show_bug.cgi?id=1111741
[User impact if declined]: privacy leak as metadata about all downloaded zip files will be submitted to the remote lookup server. also, the service provider has asked us to avoid sending these lookups to their server.
[Describe test coverage new/current, TreeHerder]: manual tests
[Risks and why]: can't think of any. it only affects mac and linux and these platforms have never had remote lookups in a release.
[String/UUID change made/needed]: none
Attachment #8609179 - Flags: approval-mozilla-beta?
Attachment #8609179 - Flags: approval-mozilla-aurora?
Comment on attachment 8609179 [details]
MozReview Request: bz://1167493/francois

Verified, low risk, new feature, taking it.
Attachment #8609179 - Flags: approval-mozilla-beta?
Attachment #8609179 - Flags: approval-mozilla-beta+
Attachment #8609179 - Flags: approval-mozilla-aurora?
Attachment #8609179 - Flags: approval-mozilla-aurora+
Attachment #8609179 - Attachment is obsolete: true
Attachment #8620351 - Flags: review+
You need to log in before you can comment on or make changes to this bug.