Closed Bug 1167493 Opened 6 years ago Closed 6 years ago
Application Reputation: disable remote lookup of zip files on Mac and Linux
MozReview Request: Bug 1167493 - Application Reputation: disable remote lookup of zip files on Mac and Linux
39 bytes, text/x-review-board-request
Until bug 1167040 is fixed, we should avoid remote lookups on Mac and Linux for zip files. My reasoning behind this quick work-around: - We have always (incorrectly) done remote lookup of all zip files on Windows, so it's not a regression on that platform. - If we disable all zip file remote lookups on Windows, we will miss some malware. - We've never had any remote lookups on Mac and Linux in release so even with zip files disabled, we're increasing the coverage on those platforms.
/r/9243 - Bug 1167493 - Application Reputation: disable remote lookup of zip files on Mac and Linux Pull down this commit: hg pull -r fcf2ae3fb6128fbe9839155b408d893fbf7c1c78 https://reviewboard-hg.mozilla.org/gecko/
Attachment #8609179 - Flags: review?(gpascutto)
Assignee: nobody → francois
Status: NEW → ASSIGNED
Comment on attachment 8609179 [details] MozReview Request: bz://1167493/francois https://reviewboard.mozilla.org/r/9241/#review7929
Attachment #8609179 - Flags: review?(gpascutto) → review+
[Tracking Requested - why for this release]: We're not supposed to send metadata about zip files to the remote lookup server unless they contain executable files. Since we are introducing remote lookups on Mac/Linux in 39, we should avoid doing the wrong thing there. On Windows, we've always done it wrong so we can wait for the proper fix as it's not a regression.
Tracking for Firefox40. Francois, could you also add a request to uplift this to mozilla-aurora? It's the tracking flag approval-aurora. Thanks. After this fix gets stabilized in FF40, we can consider tracking it for FF39. Leaving FF39 flag unchanged.
I don't mind just tracking it now for 39. Is this a regression on mac and linux? If so is it pretty recent? Do we know when it broke?
Verified fixed 2015-05-26. Monitoring network traffic before and after the patch shows that the safe browsing lookup no longer happens upon downloading the ZIP file.
Status: RESOLVED → VERIFIED
This is a regression in 39 on Mac/Linux because prior to bug 1111741 being fixed there were no download lookups at all on those platforms. Windows has always had them (wrongly), so it's not a regression.
Comment on attachment 8609179 [details] MozReview Request: bz://1167493/francois Approval Request Comment [Feature/regressing bug #]: https://bugzilla.mozilla.org/show_bug.cgi?id=1111741 [User impact if declined]: privacy leak as metadata about all downloaded zip files will be submitted to the remote lookup server. also, the service provider has asked us to avoid sending these lookups to their server. [Describe test coverage new/current, TreeHerder]: manual tests [Risks and why]: can't think of any. it only affects mac and linux and these platforms have never had remote lookups in a release. [String/UUID change made/needed]: none
Comment on attachment 8609179 [details] MozReview Request: bz://1167493/francois Verified, low risk, new feature, taking it.
You need to log in before you can comment on or make changes to this bug.