Download Protection: MPKG file not checked on Mac OS
Reported by
resea...@nightwatchcybersecurity.com,
Apr 6 2016
|
||||||||||||||
Issue descriptionVERSION Chrome Version: 49.0.2623.87 Official Build Operating System: Mac OS X El Capitan, version 10.11.3 REPRODUCTION CASE MPKG are another alias for PKG files in Mac OS, which are used by the Mac installer. To reproduce, take any .PKG file, rename it to .MPKG and double click. While Mac OS does show a warning for non-app store files, the same warning is shown for .PKG files which are checked by Chrome. MPKG file processing should match. Sample PKG file: https://github.com/Yubico/yubico.github.com/blob/master/yubikey-neo-manager/releases/yubikey-neo-manager-0.2.2-mac.pkg We can try to provide a patch if eligible for Patch Rewards
,
Apr 6 2016
,
Apr 19 2016
Attaching patch
,
Apr 22 2016
We have a better test case here: https://theowl.xyz/cr/600908/test.mpkg This is the same file as this one, just renamed: https://developers.yubico.com/yubikey-neo-manager/Releases/yubikey-neo-manager-1.4.0-mac.pkg
,
May 6 2016
,
May 13 2016
Just wondering if this issue is still being looked at
,
May 27 2016
Thanks for reporting the issue. I am able to reproduce the issue locally. A .mpkg file is a meta .PKG file that can link to other .PKG files so we should treat them identically. jialiul@ -- would you like to take this on?
,
May 27 2016
+nparker@, Do you mind providing a sample CL of adding new a extension to your shining dynamic file extension list?
,
May 27 2016
Yup, I'll create a cl for this
,
May 29 2016
@nparker: We are attaching a patch using the new dynamic file extension system
,
May 30 2016
Ah. I already have a CL pending: https://codereview.chromium.org/2010333004. Yours was more complete though -- I was missing the GetDownloadType() change. Thanks!
,
May 31 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/72b3586479fea68f62a871caba880f609c0dbd79 commit 72b3586479fea68f62a871caba880f609c0dbd79 Author: nparker <nparker@chromium.org> Date: Tue May 31 23:22:47 2016 Make file type MPKG generate a download ping BUG= 600908 CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:closure_compilation Review-Url: https://codereview.chromium.org/2010333004 Cr-Commit-Position: refs/heads/master@{#396971} [modify] https://crrev.com/72b3586479fea68f62a871caba880f609c0dbd79/chrome/browser/resources/safe_browsing/download_file_types.asciipb [modify] https://crrev.com/72b3586479fea68f62a871caba880f609c0dbd79/chrome/common/safe_browsing/download_protection_util.cc [modify] https://crrev.com/72b3586479fea68f62a871caba880f609c0dbd79/tools/metrics/histograms/histograms.xml
,
May 31 2016
,
Jun 1 2016
,
Jun 7 2016
,
Jun 7 2016
Is there a reason why the bounty is not $1,000 like the usual SB bypass?
,
Jun 7 2016
The amount for a baseline report for Download Protection bypass is $500, as listed on [1]. The final amount is always chosen at the discretion of the reward panel. In this case, the panel decided that the report was baseline quality and the patch trivial. [1]: https://www.google.com/about/appsecurity/chrome-rewards/index.html
,
Jun 8 2016
,
Jun 23 2016
We haven't heard from anyone regarding the reward
,
Mar 9 2017
,
Mar 9 2017
,
Mar 10 2017
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
,
Mar 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by nparker@chromium.org
, Apr 6 2016