Page thumbnails from private mode tabs are kept in the cache after a crash
Categories
(Fenix :: General, defect, P2)
Tracking
(firefox117 wontfix, firefox118 wontfix, firefox119 fixed)
People
(Reporter: st3fan, Assigned: matt-tighe)
References
Details
(Keywords: privacy, sec-moderate, Whiteboard: [fxdroid][adv-main119+r])
Attachments
(10 files, 10 obsolete files)
85.72 KB,
patch
|
Details | Diff | Splinter Review | |
18.00 KB,
patch
|
Details | Diff | Splinter Review | |
14.13 KB,
patch
|
Details | Diff | Splinter Review | |
12.94 KB,
patch
|
Details | Diff | Splinter Review | |
31.82 KB,
patch
|
Details | Diff | Splinter Review | |
17.87 KB,
patch
|
Details | Diff | Splinter Review | |
5.07 KB,
patch
|
Details | Diff | Splinter Review | |
4.99 KB,
patch
|
Details | Diff | Splinter Review | |
40.63 KB,
patch
|
jonalmeida
:
review+
dveditz
:
sec-approval+
|
Details | Diff | Splinter Review |
59 bytes,
text/x-github-pull-request
|
Details | Review |
We received a bug report from someone who mentioned that they mostly work in private mode, but are seeing the storage used by Firefox grow.
I think this needs a bigger investigation, for which I filed bug 1721905
In my own limited exploration I have found one case where sensitive cached data from private mode is left behind when the application is killed.
Steps to reproduce:
- Open some tabs in private mode
- Kill Firefox (I used
kill -9
from a root shell - swiping the app away may not work) - Start Firefox again
Expected:
No private tabs are open and cache directories are empty.
Actual:
No private tabs are open, but I did see the following data on disk:
taimen:/data/data/org.mozilla.firefox/cache # find .
.
./gecko_temp
./mozac_browser_thumbnails
./mozac_browser_thumbnails/thumbnails
./mozac_browser_thumbnails/thumbnails/789b065e-fb9b-4373-b47a-ee39dc95b12c.0
./mozac_browser_thumbnails/thumbnails/e6a057a2-b438-4a08-a7b8-5cfa501b5e08.0
./mozac_browser_thumbnails/thumbnails/5171ea7f-9278-42c4-8eae-15073f66ca08.0
./jna-3506402
./kfz44b8d.default
./kfz44b8d.default/cache2
./kfz44b8d.default/cache2/doomed
./kfz44b8d.default/cache2/entries
./kfz44b8d.default/cache2/entries/342AC7BEC15653F647CF0E081A0209627846056F
The cache2/entries
is a Nimbus JSON file. I assume that is fine. But the three files in mozac_browser_thumbnails
are full screen screenshots of the tabs I had open in private mode.
Restarting Firefox does not make these go away. They stick around.
Reporter | ||
Updated•3 years ago
|
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Comment 1•3 years ago
|
||
Christian mentioned that Jon and he worked on addressing this. Jon do you recall if we landed a fix here?
Comment 2•3 years ago
|
||
We had some ideas on it, but we didn't explicitly land any patches for this, to the best of my knowledge.
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 4•2 years ago
|
||
@Jon Curious about the ideas mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=1721904#c2.
If we'd try to specifically tackle the mozac_browser_thumbnails/thumbnails
issue I think we should differentiate between thumbnails and such for private vs normal browsing.
My idea for this is that we could mark each file with it's browsing mode indicator or just when private but using separate directories seems cleaner and would support other related functionalities also.
Then we could have a foreground service that can be started:
- when we detect a crash
- when when the task is removed
to cleanup the private browsing mode directory.
Comment 5•2 years ago
|
||
The ideas were similar. Either pre/post-fix the file names with the browsing mode and remove those or use a separate folder. I'm also inclined to using a separate folder.
For the clean-up strategy, during initialization of the ThumbnailsStorage, we could do a full directory delete or file name search before we start persisting new files. That avoids the problem of the app force quitting and leaving thumbnails around.
The files can also be created as a TempFile and then removed with deleteOnExit
. We could use this solution with either direction, filename fixtures or separate folder.
Comment 6•2 years ago
|
||
Investigated the possible approaches and while using deleteOnExit seemed better to usd we'd had to do deep modifications in how we currently cache the thumbnails - through the help of the DiskLruCache
external library.
So I went into separating the storages for thumbnails from normal tabs vs private tabs but I want to confirm the general direction before finishing the patches so I'll add them here.
Note that I focused on ensuring all operations from ThumbnailsMiddleware
work as before with as little changes as possible.
In my tests with using adb shell am force-stop org.mozilla.fenix.debug
I see that these patches do help fix the issue by ensuring no leftover files for after the app is reopened.
Comment 7•2 years ago
|
||
Comment 8•2 years ago
|
||
Comment 9•2 years ago
|
||
Comment 10•2 years ago
|
||
Comment 11•2 years ago
|
||
Comment 12•2 years ago
|
||
Comment 13•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 14•2 years ago
|
||
Comment 15•2 years ago
|
||
Comment 16•2 years ago
|
||
While individual patches may allow to more easily follow the changes needed for each thumbnails scenario this one patch for all changes will help in easily applying the changes.
Comment 17•2 years ago
•
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 18•2 years ago
|
||
All proposed patches squashed in just one that should help in easily applying the changes.
Comment 19•2 years ago
|
||
Comment 20•2 years ago
|
||
Comment 21•2 years ago
|
||
Comment 22•2 years ago
|
||
Comment 23•2 years ago
|
||
Comment 24•2 years ago
|
||
Comment 25•2 years ago
|
||
Comment 26•2 years ago
|
||
Updated the proposed patches with documentation and tests.
Ran detekt
, ktlint
and all unit tests in A-C and Fenix successfully.
In manual testing all seemed okay - same previous behavior but if using adb shell am force-stop org.mozilla.fenix.debug
the private thumbnails are leaked until the next time the app starts.
Tried using deleteOnExit
also with
override fun getCacheDirectory(): File { return File(getCacheParentDirectory(appContext), PRIVATE_CACHE_DIRECTORY_NAME).also { it.deleteOnExit() }
in the new PrivateThumbnailsDiskCache
but that didn't seem to work when killing the app with adb shell am force-stop org.mozilla.fenix.debug
.
Seems like we have a similar issue with browser icons from private tabs which are not automatically deleted when those tabs are closed.
Seeing that the thumbnails were automatically deleted when the private tabs are closed - so we already have a different behavior in between icons and thumbnails I am not sure if we should look into have similar patches for icons also.
Comment 27•2 years ago
|
||
Comment on attachment 9325757 [details] [diff] [review]
Bug_1721904_-_Separate_cache_dirs_all_patches_in_one.patch
Adding myself for f? so this bug doesn't get forgotten.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 28•1 year ago
|
||
Comment 29•1 year ago
|
||
Comment 30•1 year ago
|
||
Comment on attachment 9325757 [details] [diff] [review]
Bug_1721904_-_Separate_cache_dirs_all_patches_in_one.patch
Removing r? from obsolete patch.
Comment 31•1 year ago
|
||
Comment on attachment 9344462 [details] [diff] [review]
Bug_1721904_introduce_private_thumbnail_cache.patch
You don't need to ask for sec-approval for a sec-moderate or sec-low bug; see https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html (linked from the yellow-orange security bug banner above)
If there's a part of the patch that worries you about being revealing you could ask out of band about it
Comment 32•1 year ago
|
||
Comment 33•1 year ago
|
||
Authored by https://github.com/MatthewTighe
https://github.com/mozilla-mobile/firefox-android/commit/dee12005df0740b9260cc2c6150b5e20ff1c2f3d
[main] Bug 1721904 - update thumbnail caching on app open
Updated•1 year ago
|
Comment 34•1 year ago
|
||
The patch landed in nightly and beta is affected.
:matt-tighe, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox118
towontfix
.
For more information, please visit BugBot documentation.
Assignee | ||
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Comment 35•1 year ago
|
||
Putting Dan Ballard in CC because we couldn't backport this right now to our 115esr-based Tor Browser for Android but we want to do it in 13.0.2 (late November).
Can we please keep this confidential until then? Thank you!
Comment 36•6 months ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Description
•