Firefox changing file names which contain '%' to an underscore (_) when saving files
Hi I'm running into an issue where I'm trying to save files while retaining their original filenames, but '%' characters are changed into an underscore when I try to save it. I've tested this with Google Chrome but it doesn't run into this issue. Is there a setting or workaround so that Firefox will leave the filenames alone?
Обране рішення
This is a high impact security fix that is not configurable.
CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.Читати цю відповідь у контексті 👍 1
Усі відповіді (9)
I've included an image that shows what happens when I save a file with '%' characters in the filename.
The original file name is: [sound=https%3A%2F%2Ffiles.catbox.moe%2Fb5wg0l.mp3].gif
but when I save the file and choose a folder to save it to, the file is changed to: [sound=https_3A_2F_2Ffiles.catbox.moe_2Fb5wg0l.mp3].gif
Can you share an example file link?
zeroknight said
Can you share an example file link?
Sure, I've uploaded this image named 'test %%%' https://mega.nz/file/h5FkjKbZ#bd8IGj_tze7tuIxKrQIYUchnwe6bA5XR3gP2spbwe_Q
I tried saving it myself, and as shown in my attached image, it shows up as 'test ___' when saving the file.
Edit: Adding onto this, but I experience the same issue even when disabling all add-ons.
Змінено
Works for me. see screenshot What security software are your running?
jonzn4SUSE said
Works for me. see screenshot What security software are your running?
I'm using Windows Defender. I tried reinstalling Firefox (without uninstalling in order to preserve my saved tabs, settings and addons) but the issue still persists.
Just in case it could help, I'll include my OS details: Microsoft Windows 10 Home x64, Version 10.0.19045 Build 19045
I created a secondary profile using about:profiles, and the issue isn't present in the new profile, so it has something to do with my settings, but I'd rather not lose all my settings to fix this annoying issue.
Змінено
The "%" symbols are replaced for security reasons in the save dialog when you have "Always ask you where to save files" enabled . Do you have a specific use case for preserving them?
zeroknight said
The "%" symbols are replaced for security reasons in the save dialog when you have "Always ask you where to save files" enabled . Do you have a specific use case for preserving them?
Wow, good to know. Is there a setting in about:config or someplace else where I can disable that security feature? I'd like to keep preserving '%' characters in filenames as I sometimes download files in which the % in the filename is necessary. I'd also like to be able to keep choosing where I save each individual file for organizational purposes.
Вибране рішення
This is a high impact security fix that is not configurable.
CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.
zeroknight said
This is a high impact security fix that is not configurable.CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.
Thanks for linking the thread regarding the bug. I'm not familiar with what's being discussed or how the bug resolving process works, is the '%' changing into '_' a temporary solution or is the issue considered fully resolved? I'd like to know if the developers plan to actually fix it, instead of applying a band-aid solution.