Malicious downloads are allowed on the first download from a fresh profile

NEW
Unassigned

Status

()

Toolkit
Safe Browsing
P5
normal
a month ago
a month ago

People

(Reporter: CristiComo, Unassigned)

Tracking

(Blocks: 1 bug)

Trunk
Points:
---

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox54 affected, firefox55 affected, firefox56 affected)

Details

(Reporter)

Description

a month ago
[Affected versions]:
 Fx 54.0.1
 Fx 55.0b8
 Fx 56.0a1

[Affected platforms]:
 Windows 10 x64
 macOS X 10.12.3
 Ubuntu 14.04 LTS 

[Steps to reproduce]:
 1. Launch Firefox on a clean profile.
 2. Go to http://testsafebrowsing.appspot.com/.
 3. Click on the link from "1.Should show a "malicious" warning, based on URL" from "Desktop Download Warnings".

[Expected result]:
 The download is not started and the user is warned about the malicious download by displaying the red dot warning from the download panel icon.

[Actual result]:
 The download is finished.

[Regression range]:
 Last good build ID: 20170205030206
 First bad build ID: 20170206030211
 Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3e555770a90a41e04bbb4ac41b65fa2f1db6977d&tochange=20a8536b0bfac74389d3a57bd8dd957d98779ce1

[Additional notes]:
 a. Screen record with the issue: http://imgur.com/a/x0z0S
 b. This issue occurs only on the first download from a clean profile.
(Reporter)

Updated

a month ago
Has Regression Range: --- → yes
Has STR: --- → yes

Comment 1

a month ago
(In reply to Cristian Comorasu [:CristiComo] from comment #0)
>  b. This issue occurs only on the first download from a clean profile.

I have sometimes observed this on an existing profile as well, so it may be worth investigating, see related bug 1146976 which happened some time ago. This might not depend on us but on the Safe Browsing service, though.

The issue with new profiles is well-known, and it happens because the full Safe Browsing lists haven't been updated yet. Since our QA is often stumbling on this issue, see bug 1299170 as example, is there a way to set up our own test URIs that are hardcoded in the client? In fact for the Downloads Panel we just need to test the verdicts, in particular malware, potentially unwanted, and uncommon downloads.
Component: Downloads Panel → Safe Browsing
Product: Firefox → Toolkit
See Also: → bug 1146976, bug 1299170
(In reply to :Paolo Amadini from comment #1)
> The issue with new profiles is well-known, and it happens because the full
> Safe Browsing lists haven't been updated yet. Since our QA is often
> stumbling on this issue, see bug 1299170 as example

Indeed, for the new profile, the Safe Browsing lists updating will be kicked off after a random time between 0 - 1 mins, so we probably have to wait for about 3-5 minutes to get the lists.
We wrote a support page to let users manually update Safe Browsing list in about:url-classifier. You will see some update button, if you want to test malicious warning page, just click update before your test.
(In reply to Thomas Nguyen[:tnguyen] ni plz from comment #2)
> Indeed, for the new profile, the Safe Browsing lists updating will be kicked
> off after a random time between 0 - 1 mins, so we probably have to wait for
> about 3-5 minutes to get the lists.
> We wrote a support page to let users manually update Safe Browsing list in
> about:url-classifier. You will see some update button, if you want to test
> malicious warning page, just click update before your test.

What Thomas said is true in general (and for V4 that's all we'll care about), but for V2 (Fx <= 55), there is an extra complication: it takes up to 14 hours for the entire list to be downloaded.

So because the first test of the "Download Warnings" section is based on URL blocking (as opposed to the contents of the download), then if you're using a new profile, you need to first leave it running for 14 hours before running through the tests.

After that, it should work fine. All of the tests should pass.

Comment 4

a month ago
Thanks for the explanation, the 14 hours running time is probably the reason for the issues with the first download I observed in existing profiles.

Since this is not an issue anymore in Firefox 56, the most common reason for which QA thinks something is broken in the client could be gone. Maybe we should just leave this bug open as reference for QA until 56 is released.
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.