Closed Bug 1286600 Opened 3 years ago Closed 3 years ago

Malformed revocations cause the new OneCRL client to choke on sync.

Categories

(Core :: Security: PSM, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla50
Tracking Status
firefox50 --- verified

People

(Reporter: mgoodwin, Assigned: mgoodwin)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

updateCertBlocklist in blocklist-clients.js does not correctly handle failure of the blocklist.revoke* functions.
To be clear, the correct behavior here is what happens in the nsBlocklistService implementation of the oneCRL client (e.g. https://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/extensions/nsBlocklistService.js#983); if single calls to the revocation functions fail the errors are caught so that other revocations are attempted.
Priority: -- → P1
Whiteboard: [psm-assigned]
Comment on attachment 8770980 [details]
Bug 1286600 - prevent errors in calls to the CertBlocklist from causing blocklist sync to fail.

https://reviewboard.mozilla.org/r/64262/#review61328

::: services/common/blocklist-clients.js:243
(Diff revision 1)
> +    } catch (e) {
> +      // prevent errors relating to individual blocklist entries from
> +      // causing sync to fail. At some point in the future, we may want to
> +      // accumulate telemetry on these failures.
> +    }

Please add a `Cu.reportError(e)` for this case so they aren't silently ignored. Double-check if that causes a failure on try though in your test.
Attachment #8770980 - Flags: review?(MattN+bmo) → review+
Comment on attachment 8770980 [details]
Bug 1286600 - prevent errors in calls to the CertBlocklist from causing blocklist sync to fail.

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/64262/diff/1-2/
https://hg.mozilla.org/integration/mozilla-inbound/rev/1333efcac5064aeb246e977676df99ac2428c0ec
Bug 1286600 - prevent errors in calls to the CertBlocklist from causing blocklist sync to fail. r=MattN
https://hg.mozilla.org/mozilla-central/rev/1333efcac506
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Duplicate of this bug: 1287862
Verified fixed. I staged bad data on AMO staging, along with existing good entries. I made sure to put good entries before and after the bad one. Created new Fx profile in today's Nightly, then forced blocklist update. Verified that all sites on the list were blocked correctly, even after restart. Verified that revocations.txt file exists and contains blocklist entries - except the bad one. Also saw an error thrown in the browser console for the bad entry it received.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.