627826 - Firefox automatically downloads .part for application/x-msdos-program files

Status: RESOLVED DUPLICATE of bug 69938

(Firefox :: File Handling, defect)

Description

[Logan Rosen [:Logan]]

User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b10pre) Gecko/20110120 Firefox/4.0b10pre
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b10pre) Gecko/20110120 Firefox/4.0b10pre

DISCLAIMER:  The file linked to below will most likely report as a virus in your anti-virus program.  However, it is a well-known test file.

When opening https://secure.eicar.org/eicar.com in the latest Minefield build, a window pops up asking if you want to save or cancel downloading.  However, even in Safe Mode (eliminating the possibility of an add-on causing this security flaw), Firefox automatically downloads a .part file, such as C:\Users\Logan\AppData\Local\Temp\IuXLlSyy.com.part

Microsoft Security Essentials popped up claiming that a virus was downloaded without even clicking Save in the dialog, which caused suspicion.  Sure enough, after testing multiple times, when visiting the Eicar page, Firefox begins to download the .com file as a .part in the Temp folder.  This is a major security flaw.

Reproducible: Always

Steps to Reproduce:
1. Visit https://secure.eicar.org/eicar.com
Actual Results:  
Firefox downloads a .part file without the user pressing Save File, and an anti-virus program pops up with a security notification.

Expected Results:  
Firefox waits for the user's input before downloading the application/x-msdos-program, thus eliminating the chance of downloading a virus.

Comment 1

[Matthias Versen [:Matti]]

Why should this be a security flaw ?
You can download millions of files with a virus in it and it would not be dangerous unless you execute the file and you can't start it by an accident with the .part extension.

You get the same result if you load at https://secure.eicar.org/eicar.com.txt.
You should get a security warning because the file get stored in the cache but it's not dangerous at all.