Chrome doesn't remove temp files from cloudprint print jobs |
||||||||||||||||
Issue descriptionVersion: 49.0.2623.112 OS: Server 2008r2 What steps will reproduce the problem? (1) Configure Google Chrome cloud print proxy https://support.google.com/cloudprint/answer/1686197?hl=en&ref_topic=4456182#index2 (classic instructions) (2) Send print job(s) to cloudprint printer. Jobs should print as expected. (3) Observe files in user's %TEMP% folder (C:\Users\jayhlee\AppData\Local\Temp\2� , on my system) What is the expected output? .tmp files for print jobs should be cleaned up after job is spooled / printed. What do you see instead? .tmp files remain in place filling device hard drive. Please use labels and text to provide additional information. One customer now has over 65k files in their temp folder since Chrome is not cleaning this up. This broke printing as Chrome can't write temp files any longer due to filesystem limitations. Filling up the hard drive is also a possibility. There are also security implications when user print data is left on the server system. Looking at: https://chromium.googlesource.com/chromium/src/+/49.0.2623.112/chrome/service/cloud_print/printer_job_handler.cc I see no indication that Chrome attempts to cleanup the temp files after spooling the job.
,
Apr 12 2016
did some further testing: -temp files are removed upon reboot of Windows system. -temp files are removed upon logout and log back on of the Windows user. -temp files are NOT removed when all chrome.exe processes are killed and then Chrome restarted. None of these actions would occur on a well-behaving cloudprint server leaving print jobs on disk for long stretches of time (weeks to months). From a security perspective, I believe we should be removing the temp files as soon as they are no longer needed and not waiting for a time-based cleanup process to remove them.
,
Apr 12 2016
I don't think there is a security component to this issue unless the files being stored under C:\Users\jayhlee\AppData\Local\Temp\2 are readable by users other then jayhlee in this example. There is certainly a functional component to it, though. Is it the case that they are world-readable?
,
Apr 12 2016
,
Apr 13 2016
Simple fix could be just to delete print_data_file_path_ from: PrinterJobHandler::OnJobSpoolSucceeded() PrinterJobHandler::OnJobSpoolFailed() PrinterJobHandler::Reset() PrinterJobHandler::~PrinterJobHandler() However this will leak files on Chrome crashes. To cover this case instead of FLAG_DELETE_ON_CLOSE can be used, but it would require additional internal changes.
,
Apr 13 2016
The proxy service allows any user to print to the printer that has permissions. The temp files can be print jobs from anyone of these users, which means that anyone with admin rights can view the files. This seems like a security issue to me.
,
Apr 13 2016
re #6: admin can intercept docs with or without this bug. e.g. admin can access proxy service config file with OAUTH token. It can be used to download documents from the cloud print server. Or just reconfigure OS to save all print jobs.
,
Apr 15 2016
Re-adding security label as customer considers this a serious security risk. They are aware that the cloud printer owner has ongoing access to print jobs, that's part of the Cloud Print model. They were not aware and were highly concerned when they found 65k legacy print jobs stored unencrypted at rest on their server. @vitalybuka, can you clarify comment #5 "this will like files on Chrome crashes"? It sounds to me like in normal circumstances, Chrome would then cleanup print jobs fine but if there's a crash, some temp files might not be deleted? While that's not perfect, it means most normal print jobs would be cleaned up as expected by customer and any stale ones would still be caught by reboot of machine. If it's a quick fix I'd vote we get that much in now and get that pushed down to stable while we deal with the larger changes long term.
,
Apr 15 2016
,
Apr 15 2016
Removing security label, as "admin rights" are required to see the files. Despite what your customer may think, once you have admin rights, there is no longer a security boundary.
,
Apr 15 2016
,
Apr 15 2016
,
Apr 15 2016
,
Apr 17 2016
Adding the privacy label as FYI to the privacy team, in case the tmp files could contain something specific to the user (e.g., parts of the documents printed).
,
Apr 18 2016
@vabr, thanks, yes the files are the entire print job in PDF format.
,
Apr 19 2016
FWIW, I can reproduce the bug. However, the Cloud Print Proxy is completely broken at ToT. Filed bug 604106 , there may be another bug filed soon. So we need to get the proxy back to working order before we can worry about it leaking files.
,
Apr 20 2016
,
Apr 21 2016
Deleting print jobs if the Cloud Print Proxy crashes isn't feasible on Mac/Linux, since we use CUPS to handle print jobs, and CUPS is file path based, whereas FLAG_DELETE_ON_CLOSE is implemented on POSIX by deleting the file path, but leaving a file descriptor to the file open. We can do it on Windows if we really tried, but the simple fix is probably good enough?
,
Apr 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06 commit 8adc973dd3bd361b8b19f9e0f197cbf5737ddd06 Author: thestig <thestig@chromium.org> Date: Sat Apr 23 03:34:08 2016 Cloud Print Proxy: Delete print jobs. There always exists some time window when the print job may not get deleted if the proxy crashes, but in general, print jobs will be deleted after they are spooled. Do some cleanups along the way. BUG= 602736 Review URL: https://codereview.chromium.org/1907083002 Cr-Commit-Position: refs/heads/master@{#389354} [modify] https://crrev.com/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06/chrome/service/cloud_print/print_system_cups.cc [modify] https://crrev.com/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06/chrome/service/cloud_print/print_system_win.cc [modify] https://crrev.com/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06/chrome/service/cloud_print/printer_job_handler.cc [modify] https://crrev.com/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06/chrome/service/cloud_print/printer_job_handler.h [modify] https://crrev.com/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06/chrome/service/service_utility_process_host.cc
,
Apr 23 2016
,
Apr 25 2016
Thanks for the fix thestig@. A few questions: 1) Are the temp files left in place on Mac/Linux or is this a Windows only problem? If it occurs on Mac/Linux also we should fix them as well (glad to open seperate bugs if that's what's needed). 2) Can we get the fix merged down to 51 beta and possibly 50 stable? Customer is anxious to see this issue resolved in their prod environment.
,
Apr 25 2016
re: comment 22 - During normal operations, the temp files are always deleted. If the proxy crashes, there's always a chance temp files will be leaked. It's less likely on Windows. We can try for M51.
,
Apr 25 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
Apr 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9881555842c9589c2f58c1c956cb7eada53fa4a5 commit 9881555842c9589c2f58c1c956cb7eada53fa4a5 Author: Lei Zhang <thestig@chromium.org> Date: Mon Apr 25 20:42:25 2016 Merge to M51: Cloud Print Proxy: Delete print jobs. There always exists some time window when the print job may not get deleted if the proxy crashes, but in general, print jobs will be deleted after they are spooled. Do some cleanups along the way. BUG= 602736 Review URL: https://codereview.chromium.org/1907083002 Cr-Commit-Position: refs/heads/master@{#389354} (cherry picked from commit 8adc973dd3bd361b8b19f9e0f197cbf5737ddd06) Review URL: https://codereview.chromium.org/1920793005 . Cr-Commit-Position: refs/branch-heads/2704@{#225} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/9881555842c9589c2f58c1c956cb7eada53fa4a5/chrome/service/cloud_print/print_system_cups.cc [modify] https://crrev.com/9881555842c9589c2f58c1c956cb7eada53fa4a5/chrome/service/cloud_print/print_system_win.cc [modify] https://crrev.com/9881555842c9589c2f58c1c956cb7eada53fa4a5/chrome/service/cloud_print/printer_job_handler.cc [modify] https://crrev.com/9881555842c9589c2f58c1c956cb7eada53fa4a5/chrome/service/cloud_print/printer_job_handler.h [modify] https://crrev.com/9881555842c9589c2f58c1c956cb7eada53fa4a5/chrome/service/service_utility_process_host.cc
,
Apr 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06 commit 8adc973dd3bd361b8b19f9e0f197cbf5737ddd06 Author: thestig <thestig@chromium.org> Date: Sat Apr 23 03:34:08 2016 Cloud Print Proxy: Delete print jobs. There always exists some time window when the print job may not get deleted if the proxy crashes, but in general, print jobs will be deleted after they are spooled. Do some cleanups along the way. BUG= 602736 Review URL: https://codereview.chromium.org/1907083002 Cr-Commit-Position: refs/heads/master@{#389354} [modify] https://crrev.com/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06/chrome/service/cloud_print/print_system_cups.cc [modify] https://crrev.com/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06/chrome/service/cloud_print/print_system_win.cc [modify] https://crrev.com/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06/chrome/service/cloud_print/printer_job_handler.cc [modify] https://crrev.com/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06/chrome/service/cloud_print/printer_job_handler.h [modify] https://crrev.com/8adc973dd3bd361b8b19f9e0f197cbf5737ddd06/chrome/service/service_utility_process_host.cc |
||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||
Comment 1 by royans@chromium.org
, Apr 12 2016Owner: saswat@chromium.org