Closed Bug 232564 Opened 21 years ago Closed 16 years ago

Warn on downloads not initiated by the user

Categories

(Toolkit :: Downloads API, defect)

Product:
Toolkit
Component:
Downloads API
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED WONTFIX

People

(Reporter: emichrod, Unassigned)

References

(Depends on 1 open bug)

Details

User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7

Autodownloading allow to malicious .exe (and others) programs be donwloaded
without warning. And the small size of this type of programs not permit that
downloading window be displayed enough time to take care about.

This permit this programs can be executed, leaving at the user without
information about the owner and origin of the downloaded files.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
What type of warning are you expecting?  Any "save to disk" option in a modern 
browser lets you do this without any type of warning.  If you try to open an 
autodownloaded .exe from the Download Manager, it will give you a warning.  The 
only thing that autodownload does is save to a location automatically, isntead 
of asking you where to save.

And how are you saying this gets triggered for download and execution?  Via 
javascript?
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
QA Contact: mconnor
Resolution: --- → INVALID
Pages with "popup file" functions (like "popup window" code), start autodownload
function in firebird, and this files can be virus or spyware. Is more secure
that users always be asked to download a file; because nobody remember exactly
what means b.e. "mbs234.exe" in your download folder, really?

An improved "block popup files" and not only "block popup windows" option can help.
can you provide a URL where files autodownload like this?  I don't think we need
to treat users like morons and cripple the browser as a result.
I am a very entusiast of firebird (now firefox) for many years (netscape 2
forward), fast, clean, easy to use, secure and with very, very great development
tools. I hope my sugestions can help to do this product better.

Please try open www.andr.net, with your firebird with the option: download in
"save all files to this folder...".

From this site "I have downloaded" the file cmb_243461.exe (size 118kb), without
request.

I hope this be usefull, (please try many times or waiting some moment for the
download occur).

Many thanks for your quickly answer and time.


I"m not sure this is a true security issue, since it still requires user
intervention.  However, reopening for consideration whether we should
prompt/warn on automatic download links.

I think the ability to disable this is sufficient for security-conscious people,
if they're unclear on what they can/can't click on safely.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
morphing summary to reflect what this is really about.  Pages that initiate
automatic downloads should probably prompt the user at some point.  Otherwise,
someone could find a malicious download later and click to open to find out what
it is.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Autodownload allow to malicious .exe programs be donwloaded without warning → Warn on downloads not initiated by the user
As mentioned in comment 2, I think this should be regarded similarly to pop-up
windows (and for the very same rationale that pop-up windows are blocked). If
the user doesn't explicitly click a link to initiate a download, some effort
should be made to notify the user. This could be a notification (alert in the
corner or status bar icon) or a dialog box. Alternatively, automatically
downloaded files could be differentiated in the manager by color or a short
message. I think either form of notification would be the best because of their
simplicity.
set this bug as fixed, until more information can be provided
er, this isn't fixed at all.

I wonder if we can hook into permmgr for this.  Still, not something critical
for 1.0.
If you visit this http://www.freeserials.com/index.shtml site and leave you will
hawe in download folder file called cmb_243461.exe and ewerythime you clickk
search you will hawe aditional copie. This program is some kind off dialer
definetly you dont wont to tuch this program and you want to delete it. But if
you dont check emedietly your download folder and forget about it it can be
executed by mistake (Since you think that your download folder should contain
things you wanted to download ) And this is probalby big security concern. I
seenthat in new 1.0 builds there is seccurty for extensins so now it is wirtualy
inposible to install extension by accident you haw 3 sec delay and site needs to
be whitelist somethig should be done with exe files also!

*** Bug 293420 has been marked as a duplicate of this bug. ***
*** Bug 279478 has been marked as a duplicate of this bug. ***
Assignee: bugs → nobody
QA Contact: mconnor → download.manager
Depends on: 344267
As I said in 347289 comment 1, this would be annoying and would not improve security at all.  Fixing bug 249951 makes a lot more sense.
A lot of sites do this now (including the download pages for Firefox and Thunderbird).  I suggest WONTFIX and fixing Bug 249951
Status: NEW → RESOLVED
Closed: 21 years ago16 years ago
Resolution: --- → WONTFIX
Product: Firefox → Toolkit
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.