Closed Bug 1759670 Opened 3 years ago Closed 3 years ago

When set to "always ask", Firefox is saving .part files into the directory of prior downloads instead of a temp directory

Categories

(Firefox :: Downloads Panel, defect)

Product:
Firefox
Component:
Downloads Panel
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: freddy, Unassigned)

Details

Hi,

this was sent to us via email to security@, I'll quote verbatim:

Say you have two folders, Alpha and Beta.

Set firefox to ask the download location every time
save a file to Alpha
Save another download to Beta
the partial download ".part" file will be stored in Alpha before being
moved to Beta

There's a microscopic chance this has security implications so I wanted
to disclose it in private.

I noticed it because Dropbox kept bugging me about part files, so in my
case, Dropbox was getting files it wasn't supposed to be getting.
Privacy implications for me, but not part of the core Firefox security
model.

Windows 10
FF 98.0 (64-bit)

I suppose in lack of a clear direction where to store the ".part" file, choosing a Temporary Directory would be more useful than picking the last directory, but maybe this is working as intended?

I don't think we use the "last" directory, we should be using the default download directory (which is user-controlled and user-specific). Are you seeing something else?

Flags: needinfo?(fbraun)

I didn't reproduce but have sent email to the original reporter so he can respond directly.

Flags: needinfo?(fbraun)

The severity field is not set for this bug.
:mak, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mak)

Without more info, I think there isn't much we can do here.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Flags: needinfo?(mak)
You need to log in before you can comment on or make changes to this bug.