Closed
Bug 249677
Opened 20 years ago
Closed 20 years ago
cancel does not delete temporary file in helper app dialog, if default action = save
Categories
(Core Graveyard :: File Handling, defect)
Core Graveyard
File Handling
Tracking
(Not tracked)
VERIFIED
FIXED
mozilla1.8alpha3
People
(Reporter: danielwang, Assigned: Biesinger)
References
(Blocks 1 open bug)
Details
(Keywords: regression)
Attachments
(1 file)
1.71 KB,
patch
|
darin.moz
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
A few days ago, I encountered a Web page that attemps to install the "sbc_netscape.xpi" spyware. I said no. Today I did a full system antivirus scan and to my amazement the file is in my C:\Documents and Settings\<user>\Local Settings\Temp\ . I noticed that if you do location = URL_to_binary_file, a download prompt appears, and the file is being downloaded silently to the temp folder. The file is deleted, however, if you click cancel. I speculate the attacker site did some kind of JS magic to get the file downloaded. I'll try to find where I visited and get the code. Meanwhile, please feel free to mark this as invalid. I just want to warn you guys first. [reference: http://forums.mozillazine.org/viewtopic.php?p=466923#466923]
Assignee | ||
Comment 1•20 years ago
|
||
>I noticed that if you do location = URL_to_binary_file, a download prompt >appears, and the file is being downloaded silently to the temp folder. this is by design. (although this may change, see bug 69938) given > The file is deleted, however, if you click cancel. this is invalid. the mozillazine link seems to be about something else (something concerning xpi installs in general) I'm confused by the first part of comment 0. can you explain it? that seems to be about an XPI install dialog? are you saying that in that case, the file is not deleted?
Reporter | ||
Comment 2•20 years ago
|
||
> I'm confused by the first part of comment 0. can you explain it? that seems to
> be about an XPI install dialog? are you saying that in that case, the file is
> not deleted?
Yes. I was prompted a XPI install dialog (not a download dialog), and somehow
the file is downloaded to the temporary directory and not deleted. I couldn't
find the page that causes this. I'll try to investigate this further.
Reporter | ||
Comment 3•20 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2) Gecko/20040702 k, this is weird location.href="http://www2.flingstone.com/cab/sbc_netscape.xpi"; gives a download prompt dialog, and clicking cancel does not remove the file. (This is on a Windows 2000 advanced user account.) I believe I was in an adminstrator account when I last tested (and the file was removed). It's possible that what I saw was a download prompt, not a install prompt.
Whiteboard: [Should be UNCONFIRMED]
Reporter | ||
Comment 4•20 years ago
|
||
really confirming. (sorry for the bugspam) On the 20040702 build, cancelling download prompt does not delete the file (on admin or adv user account). On Mozilla 1.7 final, this does not occur.
Keywords: regression
Summary: [speculative] location.href = file may successfully downloads the file to computer (temp folder) → location.href = file successfully downloads the file to temp folder (cancel does not delete it)
Whiteboard: [Should be UNCONFIRMED]
Assignee | ||
Comment 5•20 years ago
|
||
urg. I believe you're correct. -> me, probably caused by bug 244448 Does the file already have the correct filename while the dialog is still shown, or is it something like <random string>.<ext>?
Assignee: darin → cbiesinger
Component: Networking → File Handling
QA Contact: benc → ian
Assignee | ||
Comment 6•20 years ago
|
||
Assignee | ||
Updated•20 years ago
|
Summary: location.href = file successfully downloads the file to temp folder (cancel does not delete it) → cancel does not delete temporary file in helper app dialog, if default action = save
Assignee | ||
Updated•20 years ago
|
Attachment #152285 -
Flags: review?(darin)
Assignee | ||
Comment 7•20 years ago
|
||
I don't think that failure to delete this file is a security issue, really. mind
if I clear the security flag?
>Does the file already have the correct filename while the dialog is still shown,
>or is it something like <random string>.<ext>?
seems to be the random filename in my testing, as expected.
Status: NEW → ASSIGNED
OS: Windows 2000 → All
Hardware: PC → All
Target Milestone: --- → mozilla1.8alpha2
Reporter | ||
Comment 8•20 years ago
|
||
it's <random string>.<ext>
> I don't think that failure to delete this file is a security issue, really. mind
> if I clear the security flag?
fine with me.
Assignee | ||
Updated•20 years ago
|
Group: security
Updated•20 years ago
|
Attachment #152285 -
Flags: review?(darin) → review+
Assignee | ||
Updated•20 years ago
|
Attachment #152285 -
Flags: superreview?(jst)
Comment 9•20 years ago
|
||
Comment on attachment 152285 [details] [diff] [review] patch sr=jst
Attachment #152285 -
Flags: superreview?(jst) → superreview+
Assignee | ||
Updated•20 years ago
|
Attachment #152285 -
Flags: approval1.8a2?
Assignee | ||
Updated•20 years ago
|
Target Milestone: mozilla1.8alpha2 → mozilla1.8beta
Assignee | ||
Updated•20 years ago
|
Attachment #152285 -
Flags: approval1.8a2?
Assignee | ||
Comment 10•20 years ago
|
||
Checking in nsExternalHelperAppService.cpp; /cvsroot/mozilla/uriloader/exthandler/nsExternalHelperAppService.cpp,v <-- nsExternalHelperAppService.cpp new revision: 1.265; previous revision: 1.264 done
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•20 years ago
|
Target Milestone: mozilla1.8beta → mozilla1.8alpha3
Reporter | ||
Updated•20 years ago
|
Status: RESOLVED → VERIFIED
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•