Open Bug 1903133 Opened 1 year ago Updated 6 months ago

Occasional random zero byte files getting downloaded

Categories

(Toolkit :: Downloads API, defect, P3)

Product:
Toolkit
Component:
Downloads API
Platform:
Desktop
Unspecified
Type:
defect

Tracking

()

Status:
REOPENED

People

(Reporter: mgaudet, Unassigned)

References

Details

(Keywords: steps-wanted)

So, I'm testing out a custom build of firefox, and browsing around. I hit the NYT, clicked on. this link then hit reader mode, then left... and as I was departing the site I noticed a download had occurred: A zero-byte HTML file named QBG4ChFW.html

I've been seeing similar on occasion for a few months... not sure what's going on. I cannot reproduce, but I will say the file names seem similar when I see them.

Looking through my device trash I see GIRNGJEc.html & Y38vm-cv.html -- all zero bytes.

Perhaps the Reader Mode triagers have a sense of a good next step here is? The most helpful thing would be if it's possible to figure out easy steps to reproduce, but...

Severity: -- → S3
Component: General → Reader Mode
Product: Firefox → Toolkit

Hm, I just tried a few times to reproduce this, but no dice. If you're able to reproduce this consistently, does it reproduce in Troubleshoot Mode? If not, I wonder if we have some kind of WebExtension interference here.

Flags: needinfo?(mgaudet)

Yeah... I can't reproduce reliably or even frequently.

It's too bad too that these don't have the macOS extended attributes other downloads have ("where from" if I get-info one isn't there)

Flags: needinfo?(mgaudet)

This is unlikely to be reader mode and more likely to be weird ad networks. Last time I heard of this we couldn't really figure it out.

The best option might be to use about:logging to turn on network preset logging to the firefox profiler, and then run with minimal profiler settings (but keeping markers, which includes the MOZ_LOG things).

That will hopefully be able to provide some kind of clue what is going on?

Severity: S3 → --
Component: Reader Mode → General
Flags: needinfo?(mgaudet)

I'll see what happens. It was happening a lot more earlier in the year, but it's happened much less last little while.

Flags: needinfo?(mgaudet)
Summary: Occasional random zero bytre files getting downloaded → Occasional random zero byte files getting downloaded

Is there anything in your download history (about:downloads) that shows where the file came from?

Is there anything in the global Browser Console?

Component: General → Downloads API
Flags: needinfo?(mgaudet)
See Also: → 1903955

Unfortunately this last reproduced on a local build and a local build profile, and I seem to have blown away the build directory. Honestly I didn't realize I could get the download URL from about:downloads. If this reproduces I'll be sure to figure more details out.

Flags: needinfo?(mgaudet)

The severity field is not set for this bug.
:mak, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(mak)

Unfortunately without more info this is very hard to investigate... hopefully we can figure out more if/when this reoccurs.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
Flags: needinfo?(mak)

I'm also having the same issue. Very rarely, clicking on a google link causes a random html file being downloaded. I'm on macOS 15.0 (24A335) using Nightly 132.0a1 (2024-09-29) (aarch64) with ETP strict, vertical tabs and sidebar enabled. I think it is random but the file downloaded is named 3Uwxl_AP.html. Trying to click on copy download link copies about:blank. Download origin/location is shown as moz-safe-about resource.

I asked this on Slack and was told it could be the extensions. Do you have any of the extensions I have? My installed extensions are,

  • 600% Sound Volume
  • Bitwarden
  • Enhancer for Youtube
  • Privacy Badger
  • Sponsorblock
  • uBlock Origin

Also as suggested on Slack, I set browser.download.loglevel to all and will report if it happens again.

Status: RESOLVED → REOPENED
Flags: needinfo?(mgaudet)
Resolution: INCOMPLETE → ---

uBlock Origin is the only overlapping extension I have. But I still haven't seen this in a while.

Flags: needinfo?(mgaudet)

I was researching an issue I'm almost certain is due to anti-virus interference (explained below) but I've seen similar filename patterns while exploring this. Each of these were seen by the anti-virus in my configured Downloads folder (the extension matches the file download attempted):

  • 7JsevLMl.exe
  • Ambbamu4.exe
  • oYe5HhIO.msi
  • I631P_nw.exe
  • WYViBl4D.exe
  • fQZ3xo4R.exe
  • 7Y14pAEX.exe
    I assume the download codepath creates a random filename but preserves the extension to start a download while waiting for the download to complete or for user input (e.g. 'Save Link As...') and renames the file once complete.

The repro for the issue I'm having (included for completeness, I'm not looking for any help with this issue in this bug):

  1. Have McAfee/Trellix installed and blocking download of suspicious executable files.
  2. Visit https://archive.mozilla.org/pub/thunderbird/releases/131.0.1/win64/en-US/
  3. Click on either entry OR right-click 'Save Link As...' OR configure 'Always ask you were to save files'
  4. Observe that the Downloads panel opens showing 'Download failed' - no file browser is opened when using either of the latter 2 options from previous step
  5. Network tab shows the download Get Blocked with 'NS_ERROR_FILE_ACCESS_DENIED' (setting browser.download.loglevel to all doesn't seem to provide any additional information in the Console); none of the headers match the 8 characters seen in the next step.
  6. Observe the blocking actions in the McAfee/Trellix console & see the random 8 character filenames instead of the name of the file requested.

In Edge or Chrome on the same system the download's temp file is created as 'Unconfirmed random6digits.crdownload' or a '32charcterguidwithdashes.tmp' file neither of which bother the antivirus which instead blocks the rename/move to an executable extension.

Definitely some people (me) are seeing it without AV tho

I'm new to the Apple ecosystem, so I'm not sure if there's anything pre-installed, but I don't recall installing any AV either.

I got a new random file downloaded and this is what I got in my logs

13:44:17.196
Unchecked lastError value: Error: Invalid tab ID: 99 background.js:1
13:44:17.200 [fluent] Missing message in locale en-CA: sidebar-menu-open-ai-chatbot-tooltip sidebar-main.mjs:347:38
13:44:17.200 [fluent] Missing message in locale en-CA: sidebar-menu-open-history-tooltip sidebar-main.mjs:343:38
13:44:17.203 [fluent] Missing message in locale en-CA: sidebar-menu-open-ai-chatbot-tooltip sidebar-main.mjs:347:38
13:44:17.203 [fluent] Missing message in locale en-CA: sidebar-menu-open-history-tooltip sidebar-main.mjs:343:38
13:44:17.297
Error: TelemetryStopwatch: key "WEBEXT_CONTENT_SCRIPT_INJECTION_MS" was already initialized ExtensionTelemetry.sys.mjs:224:31
13:44:17.297
Error: TelemetryStopwatch: key "WEBEXT_CONTENT_SCRIPT_INJECTION_MS_BY_ADDONID" was already initialized ExtensionTelemetry.sys.mjs:228:41
13:44:17.297
Error: TelemetryStopwatch: finishing nonexisting stopwatch. Histogram: "WEBEXT_CONTENT_SCRIPT_INJECTION_MS", key: "" ExtensionTelemetry.sys.mjs:224:31
13:44:17.297
Error: TelemetryStopwatch: finishing nonexisting stopwatch. Histogram: "WEBEXT_CONTENT_SCRIPT_INJECTION_MS_BY_ADDONID", key: "{446900e4-71c2-419f-a6a7-df9c091e268b}" ExtensionTelemetry.sys.mjs:228:41
13:44:17.298
Error: TelemetryStopwatch: finishing nonexisting stopwatch. Histogram: "WEBEXT_CONTENT_SCRIPT_INJECTION_MS", key: "" ExtensionTelemetry.sys.mjs:224:31
13:44:17.298
Error: TelemetryStopwatch: finishing nonexisting stopwatch. Histogram: "WEBEXT_CONTENT_SCRIPT_INJECTION_MS_BY_ADDONID", key: "{446900e4-71c2-419f-a6a7-df9c091e268b}" ExtensionTelemetry.sys.mjs:228:41
13:44:17.298
timerId not found for Glean timing_distribution contentScriptInjection ExtensionTelemetry.sys.mjs:182
13:44:17.319
Unchecked lastError value: Error: Invalid tab ID: 99 background.js:
13:44:17.324 Downloads: Attempting to notify that a new download has started or finished. DownloadsCommon.sys.mjs:963
13:44:17.324 Downloads: Opening the downloads panel. downloads.js:184
13:44:17.324 Downloads: Attempting to initialize DownloadsPanel for a window. downloads.js:81
13:44:17.325 Downloads: Attaching DownloadsView... downloads.js:112
13:44:17.325 Downloads: DownloadsView attached - the panel for this window should now see download items come in. downloads.js:118
13:44:17.325 Downloads: DownloadsPanel initialized. downloads.js:123
13:44:17.325 Downloads: Waiting for the downloads panel to appear. downloads.js:205
13:44:17.325 Downloads: onDownloadBatchStarting called for DownloadsView. downloads.js:788
13:44:17.325 Downloads: A new download data item was added downloads.js:817
13:44:17.325 Downloads: Adding a new DownloadsViewItem to the downloads list. aNewest = true downloads.js:883
13:44:17.326 Downloads: onDownloadBatchEnded called for DownloadsView. downloads.js:796
13:44:17.326 Downloads: The downloads item count has changed - we are tracking 1 downloads in total. downloads.js:741
13:44:17.326 Downloads: Setting the panel's hasdownloads attribute to true. downloads.js:750
13:44:17.327 Downloads: Opening downloads panel popup. downloads.js:671
13:44:17.327 Downloads: onDownloadBatchStarting called for DownloadsView. downloads.js:788
13:44:17.327 Downloads: onDownloadBatchEnded called for DownloadsView. downloads.js:796
13:44:17.327 Downloads: The downloads item count has changed - we are tracking 1 downloads in total. downloads.js:741
13:44:17.327 Downloads: Setting the panel's hasdownloads attribute to true. downloads.js:750
13:44:17.349 Downloads: Attempting to notify that a new download has started or finished. DownloadsCommon.sys.mjs:963
13:44:17.349 Downloads: Showing new download notification. DownloadsCommon.sys.mjs:993
13:44:17.350 Downloads: _updateStateInner, target exists?  /Users/fkilic/Downloads/cIHs-b2X.html true DownloadsViewUI.sys.mjs:723
13:44:17.365 Downloads: Downloads panel has shown. downloads.js:327
13:44:27.517 Downloads: Downloads panel has hidden. downloads.js:347

It looks like it has to with content script injection but I'm not sure.

Q: Anyone else who has seen this... are you using the containers add on?

I ask mostly because this -just- reproduced for me (once) and the two tabs I opened, one opened in regular context, the other inside my "Personal" container tab. So I'm curious if this might be related to that.

Unfortunately I didn't have any extra logging on.

I regularly use containers. I'm not sure if I had any active tabs within another container at the time of random download though.

Severity: -- → S3
Keywords: steps-wanted
Priority: -- → P3
Hardware: Unspecified → Desktop
See Also: → 1762416
See Also: → 1977871
You need to log in before you can comment on or make changes to this bug.