firefox blocks https://www.paypal.com/cgi-bin/webscr (as malware) for one profile, but not others. disabling malware checking (browser.safebrowsing.malware.enabled) confirms it is malware and not phishing. note, we tried to remove urlclassifier2.sqlite, but that didn't seem to help. (hmm, according to lxr, the file is urlclassifier3.sqlite? I don't seem to have that file.) polvi has the profile that can reproduce this, in case you want to look at any files. He has already use the web service (at google.com?) to tell them that this is not a scam. I'm worried something else is going on.

he's using a recent, trunk mac os x build (from november 30, 2007 or more recently) polvi, can you include the exact build id?

(In reply to comment #0) > note, we tried to remove urlclassifier2.sqlite, but that didn't seem to help. > (hmm, according to lxr, the file is urlclassifier3.sqlite? I don't seem to > have that file.) urlclassifier3.sqlite is the current name for the sqlite database that holds this data, so removing urlclassifier2.sqlite won't help any. http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/toolkit/components/url-classifier/src/nsUrlClassifierDBService.cpp&rev=1.38&mark=117#116

ah, I have ~/Library/Caches/Firefox/Profiles/pkv0yecg.default/urlclassifier3.sqlite but I also have: ~/Library/Application Support/Firefox/Profiles/pkv0yecg.default/urlclassifier2.sqlite That's why I got confused. povli, I bet finding and removing that ~/Library/Caches/Firefox/Profiles/*.default/urlclassifier3.sqlite would fix it for you, but don't do that yet, please save a copy of that. (as dcamp might need to inspect it?) dcamp: it seems like a potential bug that polvi has one urlclassifier3.sqlite that thinks that https://www.paypal.com/cgi-bin/webscr is malware, no?

(In reply to comment #1) > he's using a recent, trunk mac os x build (from november 30, 2007 or more > recently) > > polvi, can you include the exact build id? Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b2pre) Gecko/2007113004 Minefield/3.0b2pre Are there any privacy implications of posting the urlclassifiers3.sqlite to this bug?

(In reply to comment #4) > povli, I bet finding and removing that > ~/Library/Caches/Firefox/Profiles/*.default/urlclassifier3.sqlite would fix it > for you, but don't do that yet, please save a copy of that. (as dcamp might > need to inspect it?) yep, it fixed it. I have the copy laying around if needed...

(In reply to comment #5) > Are there any privacy implications of posting the urlclassifiers3.sqlite to > this bug? There is no personally identifying information in urlclassifier3.sqlite. The data in it is the same data that is passed to all Minefield users (with varying chunks) and sent in the clear from Google's servers. Please post it.

(In reply to comment #7) > (In reply to comment #5) > > Are there any privacy implications of posting the urlclassifiers3.sqlite to > > this bug? > > There is no personally identifying information in urlclassifier3.sqlite. The > data in it is the same data that is passed to all Minefield users (with varying > chunks) and sent in the clear from Google's servers. Please post it. http://polvi.net/~polvi/urlclassifier3.sqlite (use wget) Excited to hear what you find!

(In reply to comment #0) > disabling malware checking (browser.safebrowsing.malware.enabled) confirms it > is malware and not phishing. Actually due to 405685, that pref will disable both checks. The screenshot implies it's phishing.

> Actually due to 405685, that pref will disable both checks. The screenshot implies it's phishing. I used the pref ui (and not the actual pref) to help narrow down the problem. It sounds like I might have been confused about which one I had enabled and which one I didn't.

(In reply to comment #10) > It sounds like I might have been confused about which one I had enabled and > which one I didn't. You're not confused. I just tested this with a clean profile on the latest nightly using the urlclassifier posted above: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b2pre) Gecko/2007120304 Minefield/3.0b2pre Using the pref pane: Preferences -> Security case 1) "Tell me if ... suspected attack site" - checked "Tell me if ... suspected forgery" - checked result: screen shot case 2) "Tell me if ... suspected attack site" - unchecked "Tell me if ... suspected forgery" - checked result: paypal loads case 3) "Tell me if ... suspected attack site" - checked "Tell me if ... suspected forgery" - unchecked result: screen shot case 3) "Tell me if ... suspected attack site" - unchecked "Tell me if ... suspected forgery" - unchecked result: paypal loads Looks like something is getting mixed up!

(In reply to comment #11) > Looks like something is getting mixed up! Right, 405685.

Google confirms that this url was at one point blacklisted, but has been since removed from the blacklist. I zeroed out the sub chunk list, disabled the update timeout and let it spin updating for awhile. Eventually google sent me a sub that expired that entry. I suspect this was caused by 406621. We were dropping entries from add and sub chunks, we might have dropped this sub. But I'm going to leave this separate for the moment so I can verify things a bit better.

So two bugs have been fixed in beta 2 that could leave formerly blacklisted urls in the database, and some server problems in early november could have led to blacklisted urls not being removed. Between those bug fixes and 406865 (which clobbers databases that were created before these bugs were fixed), I am going to close this bug (I'm duping to 406865 since that has more information and the right deps).