300317 - This is security issue as the clear cache doesn't delete all the files in cache.

Status: RESOLVED INCOMPLETE

(Firefox :: General, defect)

Description

[Marvin George]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

The fact when you hit clear cache it doesn't kill all the files and leaves some
of the files plus the cache.  When the system kills the cache it recreates a new
cache folder so everything is new. On mozilla 1.8 you killed the cache folder
and then recreated it while now in firefox 1.04 you leave the files instead of
completely deleting. There is another problem when you delete the cache folder
you write into the cache trash folder and then clear the cache trash folder. You
then delete the cache folder and then recreate it again. This is adding workload
and takes longer for Firefox to come up when you are killing the cache by 
moving it into the cache tash folder.

Reproducible: Always

Steps to Reproduce:
1.This is standard delete of the cache folder.
2.The use of undelete program will show that you move it from the cache folder
to cache trash folder and then kill the files. The fach in Internet explorer
show the current date of the folder as create just now.
3.

Actual Results:  
Npyhing different

Expected Results:  
The software should of killed the cache folder and created again as it does in
mozilla 1.8 clear in the option of the cache. You should not write in the cache
trash folder as it is double work on the computer.

Comment 1

[Edward]

Same occurs with Firefox 1.0.6 (Windows).  The Cache button does not gray out
after it's selected.  When I looked in the Cache directory afterwards,
_CACHE_001, _CACHE_002_, _CACHE_003_, and _CACHE_MAP_ remained as they should,
but also two additional files.  

These two additional files were not deleted.  

Comment 2

[esanchezvela]

Hi, I setup my firefox 1.5b1 on Windows XP to use 0MB for cache, however with
Google desktop search, I am able to find old versions of html pages, I've
visited in the past

After hitting "CLEAR CACHE", I am still able to find old HTML pages in my harddrive.
   

best regards,
enrique sanchez

Comment 3

[Tim]

TO me it looks like CSS files are not being cleared from the cache when the
cache is cleared, but apparently only if the css file is loaded from within
javascript, such as with the Hardcore CMS editor.

Comment 4

[Matija Polajnar]

I just discovered those problems when using Firefox 1.5 to test&debug my web application. CSS and JPEG files were not reloaded even when using CTRL+REFRESH (but they probably should), and, yes, even after cache clear -- however, restarting firefox helped. I guess "clear cache" doesn't clear memory cache, but I guess it should ...

Comment 5

[Ajit]

(Ajit Gaddam, 01/25/06)

Tested Configuration & Build:
Firefox: 1.5 rv 1.8; Hardware: PC; OS: Windows XP 

Tried to replicate the bug. 
When we just try to remove the cache(Tools-->Options-->Privacy-->Cache-->Clear cache now), it does clear the cache. The proof of this can be seen by typing in about:cache in the URL bar.The number of entries are shown as zero in both Memory cache device and disk cache device

However, when we go to the cache folder(this can be obtained by typing in about:cache and the path is displayed in the Disk cache device) we are shown with four files _CACHE_001_, _CACHE_002_,_CACHE_003_,and  _CACHE_MAP.

These files are critical files necessary for cache. _CACHE_001_ is the file that stores the http headers. Similarly _CACHE_002_ and _CACHE_003 are files that stored html data and _CACHE_MAP is the map file. This replaces the old format cache directory must contain cache directory index database with name cache.db

However, because the path to these files is the same, we can use the NULL byte bug which adds %00.html to the end of the file

Procedure:
1.Type about:cache in Firefox in the URL bar
2.Copy the cache directory path in disk cache device
3.Open a new tab or window and type in with file:// followed by path in step2 and type _CACHE_002_%00.html like below
file:///C:/Documents%20and%20Settings/Admin/Local%20Settings
/Application%20Data/Mozilla/Firefox/Profiles/g5eyal66.default/Cache/_CACHE_002_%00.html

This results in something like the pic shown in the attachment

Overall, the initial impression of this being an exploit is reduced as firefox creates a random profile name for each installation. However the NULL byte bug still exists in the latest build of Firefox 1.5.1 rv 1.8 and the stable release of firefox v.1.5

Comment 6

[Ajit]

Attachment: Shows the page after the null problem

Comment 7

[OldManRiver]

(In reply to comment #0)
> User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8)
> Gecko/20050511 Firefox/1.0.4
> Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8)
> Gecko/20050511 Firefox/1.0.4
> Reproducible: Always
> 

We are a web development shop and we preview all posted web pages in FireFox, first and then in IE.  We are operating with Linux Servers (Red Hat and Linspire), W2K Server, W2K Pro, XP and W98se.  All our machines are experiencing the same "Cache will not clear" scenario on all web pages.

Of particular interest is we use a lot of >>Inline Frames<<, which all must have the cache cleared, then a refresh, before being able to view the latest online post.  Now that is not working.

We just downloaded the latest patches and after experiencing the problem, checked again for patches, though none were available.

This occurs regardless of site we are addressing or the content or page.  We of course can clear cache on IE so are not totally unequipped to continue our development, but need to be able to continue checking against Mozilla as appearances vary and we strive to provide "Same Look and Feel" on both.

I'm not sure how we can assist on this, but let us know if we can help.

Comment 8

[Tyler Downer [He/Him]]

Is this still a problem with Firefox 3.5.2 in a new profile?

Comment 9

[Tyler Downer [He/Him]]

No reply, INCOMPLETE. Please retest with Firefox 3.6.x or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.