488064 - Cannot download security-sensitive bug attachments with shift-click

Status: RESOLVED WORKSFORME

(Bugzilla :: Attachments & Requests, defect)

Description

[Nelson Bolyard (seldom reads bugmail)]

When a bug contains an attachment of a type that the browser normally 
intercepts and handles, and I want to download that attachment as a file 
to disk, I use shift-click, (of course).

If the bug is marked security sensitive, then ANY and ALL attempts to download
attachments with shift-click cause the downloaded file to be a web page that
says "Access Denied" rather than the desired attachment content.  

To work around this, I find it necessary to change the attachment's MIME 
content-type in the bug to application/octet-stream.  Then I can download 
the attachment with a simple click, not a shift click, and it works fine.

So, why the heck can't I download security sensitive attachments with a 
shift-click??

Comment 1

[Max Kanat-Alexander]

Cannot reproduce. I can "Save Link As..." just fine on a secure attachment, FF 3.0.8. (FWIW, shift-click opens a link in a new window for me, it doesn't open a download prompt.)

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

ok, maybe it's a BMO-specific problem. But it is 100% reproducible,
and a MAJOR pain for working on security sensitive bugs.

Comment 3

[Reed Loden [:reed]]

This works for me just fine... Can you try with a fresh profile with no add-ons? What version of Firefox are you using to reproduce this?

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

SM trunk, not many addons (since so few work with it)

If you search for all the security-sensitive NSS bugs with non-patch 
attachments, you'll find that most of those attachments have MIME content 
type application/octet-stream instead of the more expected content types 
for certs and/or CRLs.  This bug is the reason they have that content type.

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

Maybe this is a SM bug.  Must be that SM sends something different in 
the http request for shift-click than for click.  Maybe it lacks a cookie?
I don't have any addons that try to mess with the contents of requests 
and/or responses.

Comment 6

[Nelson Bolyard (seldom reads bugmail)]

Maybe it's the lack of a referring html page ?
Does BMO require the requests to have a referrer in the http requests?
Does SM not send the referrer for shift-click?

Comment 7

[Dave Miller [:justdave]]

BMO is not doing anything special with attachments that doesn't exist upstream.  If there's a problem it's with Bugzilla in general and not BMO.

And to answer the specific questions, no, it's not doing any referer checks.  It is, however, going to have one or more 302 redirects between your click and the actual attachment data showing up.

The action is:
1) You click an attachment link
2) you hit (primary host)/attachment.cgi?id=(attach_id)
3) a one-time-use token is generated and appended to the url
4) you redirect to (attachment host)/attachment_cgi?id=(attach_ud)&token=(token)
5) the token is checked that is valid
6) the attachment data is sent to you.

Comment 8

[Dave Miller [:justdave]]

I also can't reproduce this on b.m.o in Firefox 3.1b3.  Shift-clicking an attachment on a secured bug opens the attachment in a new browser window.  Option-clicking an attachment (I'm on a Mac) downloads the attachment to disk.  Examining the content of the downloaded file (which is named attachment.cgi rather than the filename fed in the headers) shows that it does actually have the correct content in it, and not an error page.

Comment 9

[Frédéric Buclin]

Tested with both Fx3.1b3 and SM2.0a3, and both are working as expected. shift-click with SM 2.0a3 displays the download window and the attachment being downloaded is named "attachment.cgi".

You could CC me to one of your security bugs and let me try with the attachment you tried to download, if you trust me enough. ;)

Anyway, noboby except you can reproduce => WFM.