When saving page, local filename is sent to server.

RESOLVED DUPLICATE of bug 249508

Status

Core Graveyard
File Handling
--
critical
RESOLVED DUPLICATE of bug 249508
14 years ago
2 years ago

People

(Reporter: peter_jonson, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8a6) Gecko/20041203

When using 'Save page as', the local filename chosen by the user (or the default
one) is sent to the server. It does this by constructing URLs based on all the
images in the page, but including '<local filename>_files' in the url. This
usually generates a 404 error, but the page and images save OK.

Reproducible: Always
Steps to Reproduce:
1.Go to http://www.google.com/
2.(Trace network activity, eg with ethereal)
3.Select 'Save Page As' from the context menu, and choose a distintive file name
Actual Results:  
GET
http://www.google.com/my_private_filename_where_i_type_lots_of_private_info_files/logo.gif
HTTP/1.1

Expected Results:  
Save from cache, without sending strange requests.

Also in mozilla 1.7.3 and firefox 1.0.

Because the saved html is hardcoded to refer to '<local filename>_files' on the
local filesystem it is not convenient to rename it, so the user may type a long
filename to start with. This may contain several pieces of private information.
eg an account number, or how much you think a competitor may bid for a contract,
after reading their page, which you are now saving.

A website might encourage the saving of a certain page, perhaps suggesting a
format for the filename. They could then have this information stored against
the identity of each user.

If a page includes images from another server, perhaps as part of a secure
transaction, and that server redirects the image request, then the new name of
the image may be sent to the original server when the page is saved.
Blocks: 256195

Updated

14 years ago
Assignee: general → file-handling
Component: General → File Handling
Product: Mozilla Application Suite → Core
QA Contact: general → ian
Version: unspecified → Trunk
duplicate of a non-security bug... should we remove the flag here?

peter_jonson@fastmail.fm: are you using a proxy?

*** This bug has been marked as a duplicate of 249508 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
(Reporter)

Comment 2

14 years ago
I want to open it to public view, but the tick box is greyed out, so I can't.

The bug is consistently reproducible without a proxy.
Blocks: 256199
No longer blocks: 256195
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.