browser.downloads.download will not save a .url file
Categories
(WebExtensions :: General, defect, P2)
Tracking
(firefox-esr102 affected, firefox112 wontfix, firefox113 wontfix, firefox114 wontfix, firefox115 wontfix, firefox116 wontfix, firefox117 wontfix, firefox118 fix-optional)
People
(Reporter: xdhmoore, Unassigned, NeedInfo)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [addons-jira])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Steps to reproduce:
On Windows 10:
- Install QuickCut addon from https://addons.mozilla.org/en-US/firefox/addon/quickcut/
- Go to google.com
- Open the browser console Ctl+Shift+J
- Click the QuickCut icon in the extensions menu
Actual results:
The browser should download a file named Google.url which is a Windows shortcut file to Google.com.
Expected results:
No file is downloaded and the browser console prints
Error: filename must not contain illegal characters
If you go to about:debug, click the extension, and put a breakpoint on the line:
browser.downloads.download(downloadSettings).then(null, (error) => console.log(error));
and then before it executes change downloadSettings.filename to Google.txt
it saves the file successfully. Therefore, I believe it is the .url
that is being blocked. Also, this addon worked correctly until a few weeks ago, so I believe the problem is caused by a recent change.
I made an attempt to find recent related changes. This commit seems to touch code related to sanitizing a .url
in a filename:
https://searchfox.org/mozilla-central/diff/1cc5883b4347439b7cd871902bcda12531fca42f/uriloader/exthandler/nsExternalHelperAppService.cpp#3690
And the following two security advisories deal with filename sanitization or with .url files specifically:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-25734
https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28163
But I may be barking up the wrong tree.
Reporter | ||
Comment 1•2 years ago
|
||
I've also posted this as a stackoverflow question here:
https://stackoverflow.com/questions/75963127/firefox-addon-browser-downloads-download-call-seems-to-fail-whenever-theres-a-p
Reporter | ||
Comment 2•2 years ago
|
||
Whoops, looks like I reversed the "Actual results" and the "Expected results".
Comment 3•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::File Handling' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Hello, thank you for the bug report!
Managed to reproduce on:
- Firefox 112.0;
- Nightly 113.0a1;
Tested and reproduced on:
- Windows 10;
- Ubuntu 22;
Could not reproduce on macOS 12.
Setting as NEW so the developers can have a look.
Comment 5•2 years ago
•
|
||
I expect this is a regression from bug 1809923 or bug 1810793 (security fix to address .url
file downloads being saved and used to read/open arbitrary files) but I would have thought that the result would be that we'd save google.url.download
, not that nothing gets saved at all. It may be that because the sanitized name is not equal to the input name, the extensions API rejects the save (code example), - but that seems like a bug to me.
It's worth noting that at least one of the exploits from those sec bugs used an extension so we cannot "just" let extensions always save arbitrary .url
files, I guess... But it seems fine to allow .download
suffixes for cases like this.
From looking at the add-on, creating these shortcuts is the "whole point" of this extension, so the .download
suffix would not be very helpful for that. I don't know that there's a good way to enable this that doesn't reopen the original security issues for webextensions. I suppose that's a question for the webextension team.
Comment 6•2 years ago
|
||
Set release status flags based on info from the regressing bug 1810793
:enndeakin, since you are the author of the regressor, bug 1810793, could you take a look? Also, could you set the severity field?
For more information, please visit auto_nag documentation.
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 8•2 years ago
|
||
I use QuickCut addon several times each day.
Since Firefox doesn't support downgrade, I kindly ask you to restore addon functionality by fixing this bug ASAP.
To say more, I've registered on Bugzilla just to ask about that.
Of course, for some people the security is more important than functionality.
So I suggest to add a boolean preference to about:config page, which enables/disables saving of .url files. The default value is up to you.
Comment 9•2 years ago
|
||
Linux when saving .desktop files is also affected.
ff 114.0.1 (64-Bit) Ubuntu
Comment 10•2 years ago
|
||
:neildenkin any investigation on this, as you were the assignee of the regressor?
Comment 11•2 years ago
|
||
As comment 5 describes, I think this is a question for the extensions team.
Comment 12•2 years ago
|
||
(In reply to Neil Deakin from comment #11)
As comment 5 describes, I think this is a question for the extensions team.
+1.
Will, is there anything the webextension team needs to make this actionable? And/or do you know what needs to happen but do you need someone else to do it because you don't have time to do so? Is S3 appropriate given the pinging from relman and affected users? (not intended to be a leading question, "yes" may be the right answer!)
Reporter | ||
Comment 13•2 years ago
|
||
For my part as the reporter: the above QuickCut extension now allows saving redirecting html files with a custom name pattern. So I have migrated my workflow/scripts to use *.qc.html files, to differentiate them from other html files. This workaround has solved the problem for me and I'm guessing satisfies the security issue.
Comment 14•2 years ago
|
||
Please note:
ThΠ΅ icons for *.html and *.qc.html files look the same (at least in Windows File Explorer), while the icon for *. url files looks different (has an arrow in the bottom left).
Unfortunately, it's not possible to set different icons for *.html and *.qc.html, because only the last extension matters.
Besides, when shortcut name is long, the extension name gets hidden in UI.
This is also the case when the width of the Name column in file manager is not wide enough.
Thanks for suggested workaround, but as for me, I cannot consider it as suitable.
Updated•1 years ago
|
Comment 15•1 years ago
|
||
Let me repeat my point. Take a look at file manager screenshot.
As you can see, there is no way to distinguish between the saved HTML page and HTML shortcut, while URL shortcut is distinguished clearly from both of them at the first glance (by the arrow at the bottom left corner).
That's why it's so important to fix this bugβto make Firefox comfortable for everyday use.
Meanwhile, I have to make 15 (fifteen!) mouse clicks to copy URL template, inserting a new URL into it, and rename the shortcut. It's VERY inconvenient!
So, please, fix the bug ASAP.
Updated•1 year ago
|
Comment hidden (metoo) |
Comment hidden (metoo) |
Comment hidden (metoo) |
Comment hidden (metoo) |
Comment hidden (advocacy) |
Comment hidden (advocacy) |
Comment hidden (advocacy) |
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Description
•