Step 2: Upload a malicious python script file in google drive / one drive etc.
Step 1: Set python in environment variable in pc and in browser the content type for python need to be set to Always ask when I click on open it will show the script in browser and will not execute it.
Instead of enhancement it should be fixed so that it behaves properly as chrome i.e. It directly run the script in host machine. Firefox doesn't give any alert if python environment is set. The issue we are discussing about is regarding firefox not chrome. We certainly can't give "unknown" files the "known bad" safebrowsing treatment.Īpologize for late reply. If we have a bug or plan to improve that then we could/should throw python on the "dangerous" list once we've done that (have this bug depend on that one). We know from the unhappiness over JNLP handling that our UX around dangerous types needs improving. This is consistent with what Dimi said in comment 5, although at the time he was having trouble finding a file that would trigger it.
anyway?" message when I click the download button on the drive page in comment 14. On Mac Chrome gives me the "This type of file can harm your computer. "no" is unhelpfully brief if it takes a week to get a response. (In reply to Daniel Veditz from comment #17) Within limited file size it is possible to this scripting attack. (In reply to :Gijs (he/him) from comment #10) That said, sharing a link to a broken python file where we behave differently from Chrome (on the same machine) would be the most helpful. Yes, but there are filesize limits - depending on the size it may be easier to upload to youtube, dropbox or gdrive as an unlisted/private thing and share the link here. If you want I can share a recorded version. Only if it actually solves anything here, which I'm not sure it would without more details about whether we actually behave differently in the case that's being reported (and if so, if that's actually a result of the safebrowsing difference). Reporter: can you provide an online sample of (ie link to) a python file where we behave differently from Chrome on the same machine? (In reply to :Gijs (he/him) from comment #8) Please let me know whether I need to share any video to prove it that its working I also checked the telemetry, a fairly large amount of python script dp ping responses are unknown, so this might be a way to consider to improve security if we think this is something worth doing. And for us, unknown are treated as safe for all the extensions.
If I understand correctly, In Chrome, for certain extensions they think “may be dangerous”, when the response verdict type is unknown, they will show a warning message to ask users to confirm after downloading(I tried downloading some py files, but without any luck getting an “unknown” response to prove this). Python script is included in the download protection binary list, so we may trigger dp ping after downloading, and the response may be roughly considered falling into one of these categories: safe, danger or unknown.
Instead they run online available python code in machines. There is another category who are not developers. (In reply to Daniel Veditz from comment #2)
How big is that 3rd group? Bigger than the second, surely, but enough so that it's worth inconveniencing the second group (who are likely more influential in terms of recommending Firefox)? Some users: python-based package installed. py files (or more likely the installer doing it) and then being more at risk.
I can see non-developer users of such software setting up the python runtime as the handler for. js is a special danger on Windows because of defaults.Ĭommercial mass-market software isn't distributed in python form, but Business and home-grown enterprise stuff quite possibly is. py as special, and got the same OS-defined handler (or lack of). On both systems Chrome made the same choice not to treat. Other than installing development tools sufficient to build Firefox I didn't customize any handlers. py with a code editor and one didn't have an association at all. I tried this on two different types of machines (Mac, Win).