Closed
Bug 1286600
Opened 3 years ago
Closed 3 years ago
Malformed revocations cause the new OneCRL client to choke on sync.
Categories
(Core :: Security: PSM, defect, P1)
Core
Security: PSM
P1
Tracking
()
VERIFIED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | verified |
People
(Reporter: mgoodwin, Assigned: mgoodwin)
References
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
updateCertBlocklist in blocklist-clients.js does not correctly handle failure of the blocklist.revoke* functions.
|
Assignee | |
Comment 1•3 years ago
|
||
To be clear, the correct behavior here is what happens in the nsBlocklistService implementation of the oneCRL client (e.g. https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/nsBlocklistService.js#983); if single calls to the revocation functions fail the errors are caught so that other revocations are attempted.
|
|
Assignee | |
Comment 2•3 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/64262/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/64262/
Attachment #8770980 -
Flags: review?(MattN+bmo)
|
|
Assignee | |
Comment 3•3 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=3e8ed6746b2e
Priority: -- → P1
Whiteboard: [psm-assigned]
Comment on attachment 8770980 [details] Bug 1286600 - prevent errors in calls to the CertBlocklist from causing blocklist sync to fail. https://reviewboard.mozilla.org/r/64262/#review61328 ::: services/common/blocklist-clients.js:243 (Diff revision 1) > + } catch (e) { > + // prevent errors relating to individual blocklist entries from > + // causing sync to fail. At some point in the future, we may want to > + // accumulate telemetry on these failures. > + } Please add a `Cu.reportError(e)` for this case so they aren't silently ignored. Double-check if that causes a failure on try though in your test.
Attachment #8770980 -
Flags: review?(MattN+bmo) → review+
|
|
Assignee | |
Comment 5•3 years ago
|
||
Comment on attachment 8770980 [details] Bug 1286600 - prevent errors in calls to the CertBlocklist from causing blocklist sync to fail. Review request updated; see interdiff: https://reviewboard.mozilla.org/r/64262/diff/1-2/
|
|
Assignee | |
Comment 6•3 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=35597c7e6058
|
|
Assignee | |
Comment 7•3 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/1333efcac5064aeb246e977676df99ac2428c0ec Bug 1286600 - prevent errors in calls to the CertBlocklist from causing blocklist sync to fail. r=MattN
|
||
Comment 8•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/1333efcac506
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
||
Comment 10•3 years ago
|
||
Verified fixed. I staged bad data on AMO staging, along with existing good entries. I made sure to put good entries before and after the bad one. Created new Fx profile in today's Nightly, then forced blocklist update. Verified that all sites on the list were blocked correctly, even after restart. Verified that revocations.txt file exists and contains blocklist entries - except the bad one. Also saw an error thrown in the browser console for the bad entry it received.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•