Closed Bug 754724 Opened 13 years ago Closed 2 years ago

Minor security issue with Firefox download script

Categories

(Toolkit :: Downloads API, defect)

Product:
Toolkit
Component:
Downloads API
Version:
12 Branch
Platform:
x86_64
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 295410

People

(Reporter: billy, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0 Build ID: 20120420145725 Steps to reproduce: A malicious page is able to send a file using Firefox downloads Actual results: Although the file was not accepted, the save dialogue box remained frozen. Having work I needed to complete, I figured I would leave it until I could reboot later. A few minutes later, I noticed my PC activity running high, as if something was being installed...it was. I tested several times to reproduce the problem by clicking a known "safe" link, but not accepting the dialogue to save the file. Every file will download to a temporary directory without the user clicking the "Save" button on the dialogue that opens after clicking a download link. This is just a minor bug for most of us; those who use a recent version of Windows, Linux, Mac OS. But, for those who use an older, or outdated version of Windows, or Mac OS could have a malicious file run on their computer just by going to the wrong website. Expected results: The download should not open a sock until the user clicks the "Save" button.. else the file activity should time out in a reasonable time if the user does not respond, in case a malicious website does lock the "Save" dialogue in a non-focus state, leaving the user unknowingly download a file.
Severity: normal → critical
That's a feature that has been in there for a very log time - the download is already being done before you have clicked the save button (or chosen where the download needs to be saved). That will save you several seconds at least. It is *not* a bug. Not that it's not a security problem, as the file would be removed when you press cancel. Or, if you press Save, it doesn't matter, since the result would be the same. The only problems that you can see, is that your antivirus software might trigger a warning before you actually pressed save. But the download can not do anything until you open it, which is after the Save button was clicked. It was *not* being installed. The CPU activity came from writing the file, and possibly your antivirus software scanning it. Which is exactly what would have happened if you've pressed Save much sooner. The act of downloading a file has nothing to do with a security problem. It's what you do with the file afterwards that is important. Unfortunately, antivirus products will scream fire much sooner than that, at the moment the file is being written. The same thing happen when they discover such a file in your cache for instance, and this often leads to people filing bug reports, thinking that they have been hacked. But those file are actually harmless if they only reside on the filesystem.
Whether it's an intentional part of the program or not, I don't want it. Even IF it doesn't run the file, it still downloads it without the users consent. Of course everyone wants to blame the antivirus software for every unknown hard drive activity, except for the fact that I don't have antivirus software on my Linux partition, and it produces the same problem. So in your mind, it's okay for a malicious website to shove hundreds of megabytes/gigabytes onto a users drive without their knowledge as long as it's been there for a very long time, while sucking their bandwidth; but that is NOT okay for anyone. I will be removing Firefox and Thunderbird from my Windows and Linux installs, and returning to the "other" browsers.
Component: Untriaged → Downloads Panel
QA Contact: untriaged → downloads.panel
I think that this behavior should be changed as William indicated. When it comes to files being placed on a computer from the web I don't care if it saves an extra second or not or whether or not it can actually do anything to my computer. If I didn't click save to have it Saved to my computer I don't want it SAVED to my computer no matter what the circumstance is. Give the user the control. If I click save then save it if I don't then don't. Not too difficult. Focus on the User.
moving to toolkit
Component: Downloads Panel → Download Manager
Product: Firefox → Toolkit

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: critical → --

The severity field is not set for this bug.
:mak, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(mak)
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 295410
Flags: needinfo?(mak)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.