Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Firefox changing file names which contain '%' to an underscore (_) when saving files

  • 9 réponses
  • 3 ont ce problème
  • 1 vue
  • Dernière réponse par hvhv

more options

Hi I'm running into an issue where I'm trying to save files while retaining their original filenames, but '%' characters are changed into an underscore when I try to save it. I've tested this with Google Chrome but it doesn't run into this issue. Is there a setting or workaround so that Firefox will leave the filenames alone?

Hi I'm running into an issue where I'm trying to save files while retaining their original filenames, but '%' characters are changed into an underscore when I try to save it. I've tested this with Google Chrome but it doesn't run into this issue. Is there a setting or workaround so that Firefox will leave the filenames alone?

Solution choisie

This is a high impact security fix that is not configurable.

CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.

CVE-2022-31739

Lire cette réponse dans son contexte 👍 1

Toutes les réponses (9)

more options

I've included an image that shows what happens when I save a file with '%' characters in the filename.

The original file name is: [sound=https%3A%2F%2Ffiles.catbox.moe%2Fb5wg0l.mp3].gif

but when I save the file and choose a folder to save it to, the file is changed to: [sound=https_3A_2F_2Ffiles.catbox.moe_2Fb5wg0l.mp3].gif

more options

Can you share an example file link?

more options

zeroknight said

Can you share an example file link?

Sure, I've uploaded this image named 'test %%%' https://mega.nz/file/h5FkjKbZ#bd8IGj_tze7tuIxKrQIYUchnwe6bA5XR3gP2spbwe_Q

I tried saving it myself, and as shown in my attached image, it shows up as 'test ___' when saving the file.

Edit: Adding onto this, but I experience the same issue even when disabling all add-ons.

Modifié le par hvhv

more options

Works for me. see screenshot What security software are your running?

more options

jonzn4SUSE said

Works for me. see screenshot What security software are your running?

I'm using Windows Defender. I tried reinstalling Firefox (without uninstalling in order to preserve my saved tabs, settings and addons) but the issue still persists.

Just in case it could help, I'll include my OS details: Microsoft Windows 10 Home x64, Version 10.0.19045 Build 19045

I created a secondary profile using about:profiles, and the issue isn't present in the new profile, so it has something to do with my settings, but I'd rather not lose all my settings to fix this annoying issue.

Modifié le par hvhv

more options

The "%" symbols are replaced for security reasons in the save dialog when you have "Always ask you where to save files" enabled . Do you have a specific use case for preserving them?

more options

zeroknight said

The "%" symbols are replaced for security reasons in the save dialog when you have "Always ask you where to save files" enabled . Do you have a specific use case for preserving them?

Wow, good to know. Is there a setting in about:config or someplace else where I can disable that security feature? I'd like to keep preserving '%' characters in filenames as I sometimes download files in which the % in the filename is necessary. I'd also like to be able to keep choosing where I save each individual file for organizational purposes.

more options

Solution choisie

This is a high impact security fix that is not configurable.

CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.

CVE-2022-31739

more options

zeroknight said

This is a high impact security fix that is not configurable.
CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.

CVE-2022-31739

Thanks for linking the thread regarding the bug. I'm not familiar with what's being discussed or how the bug resolving process works, is the '%' changing into '_' a temporary solution or is the issue considered fully resolved? I'd like to know if the developers plan to actually fix it, instead of applying a band-aid solution.