Closed Bug 1692993 Opened 4 years ago Closed 3 years ago

When downloading a file considered unsecure and allow the download, Firefox puts a 0 octet file in the Download dir

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Version:
Firefox 87
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox85 --- unaffected
firefox86 --- disabled
firefox87 --- disabled
firefox88 --- disabled
firefox89 --- disabled

People

(Reporter: foss, Assigned: sstreich)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, Whiteboard: [domsecurity-active])

Hello,

I'm on Debian GNU/Linux 10 with Firefox Nightly.

Steps to reproduce:

  1. Open this page for example: https://wiki.geogebra.org/en/Reference:GeoGebra_Installation#GeoGebra_Classic_6
  2. Click on the link to download the Linux (deb) version of GeoGebra.
  3. Firefox finds it as unsecure, allow the download anyway.
  4. Try to right-click then choose open the directory where the file has been downloaded.
  5. You're going to /tmp/
  6. Go on the download folder

Result:
In the download folder, a file with the right name exists but with 0 octet.

Expected result:
The file should be placed in the download folder.

Thanks in advance.

Summary: When downloading a file considred unsecure and allow the download, Firefox puts a 0 octet file in the Download dir → When downloading a file considered unsecure and allow the download, Firefox puts a 0 octet file in the Download dir

Does this happens with older versions of Nightly?

Flags: needinfo?(aarnaud)

(In reply to Dragana Damjanovic [:dragana] from comment #1)

Does this happens with older versions of Nightly?

In version of September 2020, it was merely impossible to download the mentioned file with Firefox because the download was completely unauthorized. I think the feature to allow downloading considered insecure files never download the file in the right folder, at least under GNU/Linux.
(I don't think I could perform mozgression on this bug.)

Flags: needinfo?(aarnaud)

Mozregression points to bug 1676221

Blocks: improve-download-security
Component: Networking: File → DOM: Security
Flags: needinfo?(sstreich)
Regressed by: 1676221
See Also: → 1656296
Has Regression Range: --- → yes

Set release status flags based on info from the regressing bug 1676221

status-firefox85: --- → unaffected
status-firefox86: --- → affected
status-firefox-esr78: --- → unaffected

dom.block_download_insecure is nightly only

status-firefox86: affecteddisabled

Julian, any chance you could take a look at this one as well?

Flags: needinfo?(sstreich) → needinfo?(julianwels)

(In reply to Masatoshi Kimura [:emk] from comment #7)

Dupe of bug 1686756?

That bug is "https-only" mode. similar, but not quite a dupe.

Assignee: nobody → sstreich
Severity: -- → S3
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]
Depends on: 1696064, 1694139
Flags: needinfo?(julianwels)

Hi! -From the time this was reported, we changed the way we choose the download location && how we handle the file cleanup.
I can't reproduce this with today nightly on ubuntu. Can you maybe recheck if this problem still happens for you? :)

Flags: needinfo?(aarnaud)

(In reply to Sebastian Streich [:sstreich] from comment #9)

Hi! -From the time this was reported, we changed the way we choose the download location && how we handle the file cleanup.
I can't reproduce this with today nightly on ubuntu. Can you maybe recheck if this problem still happens for you? :)

I confirm, I no longer reproduce the problem too.

Thanks a lot for fixing it.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(aarnaud)
Resolution: --- → FIXED
status-firefox89: affecteddisabled
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.