Open Bug 1619577 Opened 4 years ago Updated 1 year ago

No warning displayed when downloading malicious files using drag and drop

Categories

(Firefox :: Downloads Panel, defect, P3)

Desktop
All
defect

Tracking

()

Tracking Status
firefox73 --- affected
firefox74 --- affected
firefox75 --- affected

People

(Reporter: atrif, Unassigned)

References

()

Details

Attachments

(1 file)

Attached video download_warning.mkv

Affected versions

  • 75.0a1 (20200302212732)
  • 74.0 (20200302184608)
  • 73.0.1 (20200217142647)

Affected platforms

  • Ubuntu 18.04
  • Windows 10x64
  • macOS 10.15

Steps to reproduce

  1. Open Firefox with a new profile and go to https://testsafebrowsing.appspot.com/.
  2. Download a random file from “Desktop Download Warnings” (e.g 3).
  3. Drag and drop a random link from “Desktop Download Warnings” to the download arrow.
  4. Observe the download panel.

Expected result

  • Both downloads have a warning displayed.

Actual result

  • The downloaded file via drag and drop has no warning.

Regression Range

  • I will search for one ASAP.

Notes

  • Attached a screen recording.
Has Regression Range: --- → no
Has STR: --- → yes
Component: Messaging System → Downloads Panel

Hello!
Firefox 33.0a1 (2014-07-17) was the first build that supports the warnings for malicious files in downloads panel and the issue is reproducing on that build too. So based on that I think it's safe to assume that the issue is not a regression or maybe that is the expected behavior when the link is dropped to be downloaded.

Has Regression Range: no → ---

I suspect this is due to the fact the download is initiated by the chrome ui, rather than just being content link navigation, so it goes through DownloadCopySaver rather than DownloadLegacySaver.
I don't remember though if we consider ui initiated downloads safe by default. DownloadCopySaver seems to have reputation checks from a quick look.

(In reply to Marco Bonardo [:mak] from comment #2)

I don't remember though if we consider ui initiated downloads safe by default. DownloadCopySaver seems to have reputation checks from a quick look.

Dimi, do we just need to copy these checks and/or move them to a common codepath? Is this something that you can look at?

Component: Downloads Panel → Safe Browsing
Flags: needinfo?(dlee)
Product: Firefox → Toolkit

(In reply to :Gijs (he/him) from comment #3)

(In reply to Marco Bonardo [:mak] from comment #2)

I don't remember though if we consider ui initiated downloads safe by default. DownloadCopySaver seems to have reputation checks from a quick look.

Dimi, do we just need to copy these checks and/or move them to a common codepath? Is this something that you can look at?

This looks like related to download module which I don’t have any experience of, so I'm not really a good candidate to look into this, sorry!

Component: Safe Browsing → Downloads Panel
Flags: needinfo?(dlee)
Product: Toolkit → Firefox

The priority flag is not set for this bug.
:mak, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mak)
Flags: needinfo?(mak)
Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.