Closed
Bug 649321
Opened 14 years ago
Closed 3 years ago
Downloading a file of unknown media type can modify the Applications Preferences
Categories
(Firefox :: File Handling, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: vincent-moz, Unassigned)
References
(Depends on 1 open bug)
Details
(Whiteboard: DUPEME)
Attachments
(2 files)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20110412 Firefox/4.2a1pre
Build Identifier: Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20110412 Firefox/4.2a1pre
When downloading a file, a content-type (MIME type) can be added to the Applications Preferences. The description will be reused for other files with the same content-type and it may be incorrect, giving wrong information to the user, who doesn't have access to the content-type itself, only the description.
First, having local data modified due to some remote web site is bad as the user may wonder what's going on. It can also be a potential security problem (or at least yield annoying behavior) if the user opens such a file with a wrong application (the file may come from some web site regarded as safe by the user, even under the user's control, but the user will get incorrect information).
Reproducible: Always
Steps to Reproduce:
0. (May be optional) Revert to default settings.
1. Open a file served as "Content-Type: application/binary" with .bz2 extension.
2. Open a file served as "Content-Type: application/binary" with no extension.
Actual Results:
The second file is presented as a "Bzip archive".
Expected Results:
Firefox should just say that the second file has type application/binary.
This even affects Safe Mode.
|
Reporter | |
Comment 1•14 years ago
|
||
|
|
Reporter | |
Comment 2•14 years ago
|
||
|
|
Reporter | |
Comment 3•14 years ago
|
||
I've added two attachments. After saving the first one
.bz2 file with application/binary content-type
a line with "Bzip archive" appears in the Applications Preferences. This behavior is wrong because application/binary doesn't necessarily correspond to bzip archives. The consequence of the problem can be seen when opening the second attachment
text file with application/binary content-type
Basically, what this means is that the correspondence between MIME types and the description provided by Firefox cannot be trusted, even for trusted web sites.
|
||
Comment 4•14 years ago
|
||
Confirmed on Linux. Theoretically, that should affect Windows and Mac, too.
(In reply to comment #3)
> Basically, what this means is that the correspondence between MIME types and
> the description provided by Firefox cannot be trusted, even for trusted web
> sites.
*unknown* MIME types.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hardware: x86_64 → All
|
|
||
Updated•14 years ago
|
Component: Preferences → File Handling
Product: Firefox → Core
QA Contact: preferences → file-handling
|
|
Reporter | |
Comment 5•14 years ago
|
||
FYI, users reported that such additional Applications Preferences data were affecting uploads: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/84880
Users also wonder where these data came from...
This corresponds to Mozilla bug 556977 (still UNCONFIRMED), probably a duplicate of bug 373621, which may be a consequence of this bug.
|
||
Updated•14 years ago
|
Whiteboard: DUPEME
|
||
Comment 6•13 years ago
|
||
This also happens with application/force-download files, which is very annoying since this pseudo-MIME type is precisely used to avoid defining the real MIME type and force downloading. See bug 698265.
This affects pdf.js a lot (it pretty much breaks it). Should be fixed before pdf.js is on by default in the released version. PDF files with the content-disposition:attachment header are quite common.
|
|
Reporter | |
Updated•13 years ago
|
Summary: Downloading a file can modify the Applications Preferences → Downloading a file of unknown media type can modify the Applications Preferences
|
|
Reporter | |
Comment 8•11 years ago
|
||
I can't reproduce this bug with:
Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0
with the testcase provided here: mimeTypes.rdf no longer gets modified.
Note that for old profiles, one may need to clean up mimeTypes.rdf first.
|
||
Updated•9 years ago
|
Product: Core → Firefox
|
|
||
Comment 9•3 years ago
|
||
Hey Vincent,
Can you still reproduce this issue or should we close it?
Flags: needinfo?(vincent-moz)
|
|
Reporter | |
Comment 10•3 years ago
|
||
In comment 8, I said that I could not reproduce it. And I still cannot reproduce it with Firefox 94 on the provided testcase (BTW, on the .bz2 file, Firefox no longer says "Bzip archive", but "bz2 File").
Flags: needinfo?(vincent-moz)
|
|
Reporter | |
Comment 11•3 years ago
|
||
Actually this bug seems obsolete as Firefox 98 now forces a download, without presenting any kind of file type. Tested with the provided testcase and a new profile.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Updated•3 years ago
|
Resolution: INVALID → WORKSFORME
|
|
Reporter | |
Comment 12•3 years ago
|
||
An additional note: IIRC, I initially got this bug on InriaForge (based on FusionForge), where there was almost no control of the mapping of uncommon file extensions to MIME types, but the web site is now closed. So, in any case, I can no longer test there.
|
|
Reporter | |
Comment 13•3 years ago
|
||
There was more information in the Debian bug I had reported initially (and which I hadn't referenced yet here):
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622353
And indeed, I got this issue on InriaForge (so I can no longer do the same tests).
You need to log in
before you can comment on or make changes to this bug.
Description
•