Treat xrm-ms files as executable (so we warn about them)
Categories
(Toolkit :: Downloads API, defect, P3)
Tracking
()
People
(Reporter: Gijs, Assigned: mak)
Details
(Keywords: sec-moderate, sec-vector, Whiteboard: [adv-main125+][adv-esr115.10+])
Attachments
(4 files)
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-esr115+
|
Details | Review |
316 bytes,
text/plain
|
Details |
Reporter | ||
Updated•9 months ago
|
Assignee | ||
Comment 1•9 months ago
|
||
Assignee | ||
Comment 2•9 months ago
|
||
Daniel, I assume dependencies of a bug inherit its sec level, so this would also be sec-moderate. Though as I don't want to bend rules, I'm asking for confirmation.
Comment 3•9 months ago
|
||
Sometimes. we have to balance the fact that this is a separate bug in its own right with not wanting to double-count issues and getting teams in trouble for "having too many security bugs". In this case, sec-moderate seem good.
Comment 5•9 months ago
|
||
Comment 6•9 months ago
•
|
||
:mak does this impact ESR115 wondering if we need an uplift there also?
Updated•9 months ago
|
Assignee | ||
Comment 8•9 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D205067
Updated•9 months ago
|
Comment 9•9 months ago
|
||
Uplift Approval Request
- Explanation of risk level: Adding file extension to a list
- User impact if declined: sec-moderate risk on opening the file
- Is Android affected?: no
- Code covered by automated testing: yes
- Needs manual QE test: yes
- String changes made/needed: No
- Fix verified in Nightly: no
- Risk associated with taking this patch: Low
- Steps to reproduce for manual QE testing: Try downloading a file with one of these extensions. If you can't find one easily, rename one in a local file explorer and drag to the tabstrip. Expected behaviour is that once downloaded there's a prompt when trying to open it, rather than it immediately opening
Assignee | ||
Comment 10•9 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D205067
Updated•9 months ago
|
Comment 11•9 months ago
|
||
Uplift Approval Request
- User impact if declined: sec-moderate risk on opening the file
- Is Android affected?: no
- Code covered by automated testing: yes
- Explanation of risk level: Adding file extension to a list
- Risk associated with taking this patch: Low
- Fix verified in Nightly: no
- Steps to reproduce for manual QE testing: yes
- Needs manual QE test: yes
- String changes made/needed: No
Assignee | ||
Updated•9 months ago
|
Updated•9 months ago
|
Updated•9 months ago
|
Updated•9 months ago
|
Updated•9 months ago
|
Comment 12•9 months ago
|
||
uplift |
Comment 13•9 months ago
|
||
uplift |
Updated•8 months ago
|
Updated•8 months ago
|
Comment 14•8 months ago
|
||
I've reproduced this issue on Win 11 x64 with an affected Nightly build, 2024-03-18. Thank you, Marco for providing the test file.
The issue is verified as fixed on Win 11 x64 using the latest builds, Nightly 126.0a1, Beta 125.0b4 and Esr 115.10.0.
Updated•8 months ago
|
Comment 15•8 months ago
|
||
Updated•8 months ago
|
Updated•8 months ago
|
Updated•3 months ago
|
Description
•