Closed Bug 259708 Opened 20 years ago Closed 20 years ago

Trying to save file from data: protocol wipes every file in target directory not marked read-only

Categories

(Toolkit :: Downloads API, defect)

Product:
Toolkit
Component:
Downloads API
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: WeirdAl, Assigned: bugs)

References

Details

(Keywords: dataloss, fixed-aviary1.0, testcase, Whiteboard: [sg:fix])

Attachments

(2 files, 1 obsolete file)

Testcase HTML page
2.38 KB, text/html
Details
patch
4.61 KB, patch
shaver
: review+
Details | Diff | Splinter Review
Testcase coming up in a few minutes. Mozilla/5.0 (Windows; U; Win98; rv:1.7.3) Gecko/20040913 Firefox/0.10 Basically, I had written an article for my blog (not yet posted) whereby a short script would convert a textarea's contents into a data: URI for saving. So with a content-type of application/octet-stream, Firefox would try to save it. Unfortunately, it would never go beyond the "Starting" phase of the "download". When you hit cancel, bye-bye directory's contents, except for the first file. Repeated testcase in Mozilla 1.8a3: did NOT see the same results. Example worked perfectly.
Attached file Testcase HTML page
Steps to reproduce: (1) Tools, Options, Downloads. Set the directory to a brand-new one. (2) In said download directory, manually create three or four new files, perhaps a directory or two. (3) Open attachment, scroll to bottom and click "Save File" button. (4) Mozilla Firefox asks you whether you want to open the file or save it... choose "Save to disk". (5) Download Manager appears with "Starting" message for Downloads directory (this is probably NOT what should happen. It should show an actual file being downloaded.) (6) Hit Cancel link in Download Manager. Expected result: Download cancels safely. Actual result: All but one file in your downloads directory are completely gone, unrecoverable. Reproducible: Always
blocking1.0? because of traumatic dataloss. Yes, it's a rare scenario, but it's very evil.
Flags: blocking-aviary1.0?
Flags: blocking-aviary1.0? → blocking-aviary1.0+
Further testing shows the only reason any file in the target directory survived -- for that matter, the target directory itself -- is because said file was marked read-only.
Summary: Trying to save file from data: protocol wipes every file in target directory except first one → Trying to save file from data: protocol wipes every file in target directory not marked read-only
Sounds like some of the (forked) front-end code is making silly assumptions about the ability to get a non-empty filename off a URI. Since it's forked, I happen to not really care.
I've tracked the problem back to http://lxr.mozilla.org/aviarybranch/source/uriloader/exthandler/nsExternalHelperAppService.cpp . I think it unusual that we don't get a file picker to find out the preferred filename for this file.
whoa, what exactly in that file does this?
I'm betting that the temp file is being set to the directory (by the Firefox download manager breakage) and then that PR_TRUE in the delete that you fixed on trunk recently kicks in.
nsExternalAppHandler::InitializeDownload is suspicious, insomuch as it is the only code which refers to an aDownload object. For that matter, I should clarify that it very well could be nsDownloadManager.cpp . I thought nsExternalAppHandler was responsible because I didn't see it specify or request a filename right away.
(In reply to comment #7) > I'm betting that the temp file is being set to the directory (by the Firefox > download manager breakage) and then that PR_TRUE in the delete that you fixed on > trunk recently kicks in. we should make sure that the patch for bug 259890 lands on the aviary and 1.7 branches.
:( Note bug 259890 comment 7. The patch for Mozilla trunk will not apply to Firefox 1.0 branch.
Attached patch Ported patch (obsolete) — Splinter Review
Untested, cargo-cult.
Comment on attachment 160030 [details] [diff] [review] Ported patch r+sr=bzbarsky
Attachment #160030 - Flags: superreview+
Attachment #160030 - Flags: review+
Attachment #160030 - Flags: approval-aviary?
Comment on attachment 160030 [details] [diff] [review] Ported patch Actually, clearing reviews. This patch is on the wrong bug. It may well fix this bug (in that the directory will no longer be wiped), but even with it in you won't be able to save...
Attachment #160030 - Flags: superreview+
Attachment #160030 - Flags: review+
Attachment #160030 - Flags: approval-aviary?
Comment on attachment 160030 [details] [diff] [review] Ported patch obsoleting, as this is being covered by bug 259890
Attachment #160030 - Attachment is obsolete: true
I just committed the patch for 259890, which might also fix this -- can someone confirm that it does with tomorrow's nightly, and resolve this if so?
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.3) Gecko/20040925 Firefox/0.10 is still showing this bug! ftp://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/sweetlou-0.9/Firefox-win32.zip dated 9/25/04 2:35:00 PM
Oh, I wasn't doing the right steps to reproduce the bug. I can reproduce it with my PR1.0 build, but my aviary-1.0 nightly with my patch isn't failing to download - it downloads successfully and it's so fast I can't hit cancel.
confirmed, this bug is still present in 09/25 builds. :-(
Asa suggested this become a security-sensitive bug due to possible side-effects.
Group: security
Status: NEW → ASSIGNED
Tracy, can you try to figure out when this was first introduced and which products/releases it impacts?
This bug affects releases at least back to Firefox 0.8 I can't reproduce this on Mozilla builds. Tested 1.8a4 and 1.7 On Firefox 0.8 and 0.9 I didn't have to cancel the download. It was too fast to cancel anyhow. But the folder I selected to download to was overwritten by the downloaded testfile (it kept the Folder name). Mozilla builds installed the file into the selected Folder without data loss.
Comment on attachment 160553 [details] [diff] [review] patch r=shaver.
Attachment #160553 - Flags: review+
For the record, though I may be too late, I was able to reproduce this bug also on Linux with a debug-built Firefox.
OS: Windows 98 → All
The patch does fix this bug, but I get an exception running my testcase: *** exception in validateLeafName: [Exception... "Component returned failure code: 0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsILocalFile.append]" nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)" location: "JS frame :: file:///home/ajvincent/mozilla/dist/bin/components/nsHelperAppDlg.js :: anonymous :: line 211" data: no]
fixed Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.3) Gecko/20040929 Firefox/0.10 as of a sweetlou build timestamped 2004092917 We pass the testcase, and I can file a separate (non-blocking-aviary) bug for fixing the download manager (or our help dialog) to get a filepicker so we save the file properly. Question, though: are there any other protocols which can force a pseudo-download? I'm leaving this bug as ASSIGNED, in case there are such protocols or resolving as FIXED would open this bug to the public. Until I am assured of such, I think I should not file the spinoff bug for getting the filepicker.
Verified fixed on Windows branch build 2004-09-30-08-0.9 fyi: I also tried some various scenarios with sending, saving and opening the file on the Thunderbird branch and had no data loss.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Given that this bug is fixed, as tested by myself and Tracy Walker, could we please re-expose this bug to the public? I'd like to be able to talk about it again.
Alex, we're hustling to get a Firefox update in place, both an xpi patch and a full 0.10.1 build. If all goes well, we'll be shipping that tomorrow. I'd like to keep this closed until then. Is that OK with you?
Fine. :) I'm just writing out some analysis of the bug's process now for posting to my blog.
Comment on attachment 160553 [details] [diff] [review] patch ok, so this patch cathes an exception and modifies the filename if it finds one. (I do think "unnamed" should be localizable, btw). but wouldn't a better fix be _not_ to recursively delete something that is supposed to be a single file? it seems to me like there must be a remove(true) somewhere that would better be a remove(false).
Isn't the recursive delete what you fixed in bug 259890? Or did that turn out to be unrelated?
Blocks: sbb?
dveditz: comment 18 said that the patch there did not fix this bug; so it seems unrelated
Isn't the cause of the problem more likely to be the Remove(PR_TRUE) here? http://lxr.mozilla.org/aviarybranch/source/toolkit/components/downloads/src/nsDownloadManager.cpp#566 That checks if the file exists, and if it does, recursively deletes it.
Depends on: 262478
We would like to leave this bug security-sensitive for a couple of days after the patch release to give people a chance to protect themselve before leaking exploit details.
Whiteboard: [sg:fix] please don't remove security flag before Monday Oct 4
(In reply to comment #31) > but wouldn't a better fix be _not_ to recursively delete something that is > supposed to be a single file? it seems to me like there must be a remove(true) > somewhere that would better be a remove(false). ok, fixed by http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&subdir=mozilla/toolkit/mozapps/downloads/content&command=DIFF_FRAMESET&file=downloads.js&rev1=1.28&rev2=1.29&root=/cvsroot (checked in as part of bug 262478)
Keywords: fixed-aviary1.0
Opening bug at reporter's request.
Group: security
I filed bug 262949 per comment 31 of this bug, to see if we can get a better filename than "unnamed".
Whiteboard: [sg:fix] please don't remove security flag before Monday Oct 4 → [sg:fix]
Blocks: sbb+
No longer blocks: sbb?
Blocks: 248511
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: