chrome.downloads.download on Linux can't save to a hidden path or filename like "path/.to/file/filename"
Reported by
bugs.chr...@eigenvektor.de,
May 30 2017
|
|||||
Issue description
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/58.0.3029.110 Chrome/58.0.3029.110 Safari/537.36
Steps to reproduce the problem:
1. open the console for some extension with the downloads permission
2. type chrome.downloads.download({url: "http://example.org/index.html", filename: "path/.to/file/example.html"})
What is the expected behavior?
On Linux the file should get downloaded into the directory "path/.to/file" inside the downloads folder.
What went wrong?
The following error gets thrown: "Unchecked runtime.lastError while running downloads.download: Invalid filename"
Did this work before? No
Does this work in other browsers? Yes
Chrome version: 58.0.3029.110 Channel: stable
OS Version:
Flash Version: Shockwave Flash 24.0 r0
The same error also gets thrown if the filename contains one of characters that is not valid in Windows filenames: " ? ~ < > : * |
This is not documented in the API. The API only says "Absolute paths, empty paths, and paths containing back-references '..' will cause an error."
,
May 31 2017
reporter@ -Could you please provide link for any sample extension causing this issue. Thanks!
,
May 31 2017
You can try it in any extension with the downloads permission. For example take this one: https://developer.chrome.com/extensions/examples/api/downloads/downloads_overwrite.zip Open the background page and try the following in the console. This works: chrome.downloads.download({url: "http://example.org/index.html", filename: "example.html"}) This does not work: chrome.downloads.download({url: "http://example.org/index.html", filename: ".example.html"}) This particular extension would pick another filename anyway, but the error even prevents that.
,
May 31 2017
Thank you for providing more feedback. Adding requester "jbanavatu@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 1 2017
Let's make sure that this is intentional. If so, we should update the documentation. If not, then let's fix to enable the scenario if there are no security concerns.
,
Jun 3 2017
Just checked the code, in downloads_api.cc, DownloadsDownloadFunction::RunAsync. I think we use net::IsSafePortableRelativePath to check the path and set the error. If any of the components in the path started with ".", it will set an invalid file name error. This is probably expected behavior, Since this logic is mostly in extension layer, add benjhayden@ for more thoughts. chrome.downloads.download api is here: https://developer.chrome.com/extensions/downloads#method-download
,
Jun 3 2017
Outside of extensions I can use any Linux filename for downloads. For example when I click on an image and do "save as". If that dialog isn't provided by the OS, maybe there is another (more acurate) function to check for valid filenames in the codebase? |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by phistuck@chromium.org
, May 30 2017Labels: -Hotlist-Interop