1995384 - Spoofing RTLO

Status: UNCONFIRMED

(Firefox for Android :: Downloads, defect)

Description

[UmarZR]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0

Steps to reproduce:

1. visit link umar1105.github.io/spoof-rtlo.html
2. Click download file
3. Observed

The vulnerability allows manipulation of the download file name by inserting a Unicode control character (e.g., U+202E — Right-to-Left Override). This causes the file name to appear reversed or misleading in the browser’s GUI, effectively hiding the file’s actual extension.

Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1649160

Actual results:

• When a downloaded filename includes a Unicode RTL control character (e.g., invoice\u202Efdp.exe), the browser download dialog / GUI displays the name in a reversed/obfuscated form such as invoiceexe.pdf.
• The displayed name visually hides the real .exe extension, misleading the user into thinking the file is a harmless document, while the actual file on disk remains an executable (.exe).

Expected results:

• The browser should display the true filename and extension as stored on disk, without being visually altered by Unicode control characters.
• Unicode control characters that affect text direction should be sanitized, escaped, or rendered in a way that does not change the visual order of the filename (for example: show the control characters as \u202E or remove them).
• The UI should clearly indicate the actual file type (extension and/or MIME type) — e.g., show the correct extension in plain text, a tooltip with the real filename, and a warning if the displayed extension does not match the file’s MIME/type.
• Optionally: reject or warn about filenames that contain directionality control characters when presented for download.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:boek, could you have a look please?

For more information, please visit BugBot documentation.