669089 - security issue downloading files

Status: VERIFIED DUPLICATE of bug 69938

(Firefox :: Security, defect)

Description

[telegraph]

Attachment: steps taken before security breach

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Build ID: 20110615151330

Steps to reproduce:

I clicked on 'download' next to a movie on quicksilverscreen.com


Actual results:

quicksilverscreen.com generated a 'save this file' window, which was labelled to be downloading 'eMule.exe'. I did not click save. 
About 2 seconds after the window with the 'save' and 'cancel' popped up, the screen deformed itself for the space of 1 second (somehow the display shifted to the right about 10px for the whole screen and then back).
Still haven't clicked anything. 
At this point my antivirus software warns me we have already downloaded a trojan, as mentioned I didn't click *anything* after hitting 'download' on the web page.
I subsequently remove the trojan and click 'cancel' on the window.
It seems to me firefox was tricked into downloading something without anybody's final approval. The virus was already loaded onto my computer before I even clicked 'save file' or 'cancel'.


Expected results:

at least wait until I click 'save file' to download a virus on my pc, rather than do it anyway before I even get a chance to click 'cancel', especially when I think that I'll be downloading an '.flv' and it turns out to be an '.exe' - which I would have know not to download.

Thanks,

Comment 1

[Bob Clary [:bc] (inactive)]

Firefox begins downloading files to a temporary location even before you click save. This can sometimes cause anti-virus programs to flag the temporary, partially downloaded file which is what appears to be the case here.

I agree that we shouldn't start the download so early since it causes these alarms even when an infection hasn't occurred.

dveditz: can we change this behavior? I don't think the small benefit is worth the hassle.

removing the security flag.

Comment 3

[telegraph]

I see the similarities with bug 69938 in that downloads start before you click save, but IMHO this is a separate issue. 
How can you willingly allow Firefox (FF) to download infected files, especially when a user hasn't even given their approval to do so, and even more so when it's a 'dangerous' file type. Isn't FF supposed to be 'very secure' browser? hasn't that been it's 'selling' point? (btw, I'm almost sold on switching to an alternative browser because of this)
There should at the very least be a filtering system that screens which files will downloaded (whether it's in /TMP or any other directory on your machine) so that dangerous files require user action before being even partially downloaded.
That or a checkbox somewhere that says 'allow to start downloads whilst I slowly decide what to do'.
Frankly, with the speed of broadband these days, I don't think the head start of the 10 seconds it takes me to judge whether or not I want to download a dodgy .exe file from a dodgy dodgy web is a good 'speed vs. security' trade off

Comment 4

[Matthias Versen [:Matti]]

Downloading in a temp directory it not dangerous at all and it doesn't matter if the file is "dangerous" or not, it doesn't harm your system. Downloading in a user visible place (Desktop as example) would be different because a user could execute files if the extension of the file is retained (I'm not sure if this is true)

The predownload isn't there to get more speed, it because you can't pause a http connection. Gecko knows only that there is a filetype that triggers a download dialog after it opened the connection. You would have to cancel the connection after receiving the headers and start a new connection later but there is no guarantee that you get the same file again with a new connection.

This is an exact dupe of bug 69938. That bug is there to remove the download to the temp directory. 
The sense behind bug 69938 is :
a) the temp directory could have a quota or the space there is limited
b) user panic reaction because of an AV alert

Please don't reopen this report unless your problem is not that the download starts early.