New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 849938 link

Starred by 1 user
Status: Assigned
Owner:
mgiuca@chromium.org
Long OOO (go/where-is-mgiuca)
Cc:
allanrobert@chromium.org
yamaguchi@chromium.org
mgiuca@chromium.org
creis@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug
Team-Security-UX

Blocked on:
issue 585422
Blocking:
issue 849998



Sign in to add a comment

Drag-and-drop a file with a spoofable (non-URL-decoded) character double-percent-encodes that character

Project Member Reported by mgiuca@chromium.org, Jun 6 2018 
Chrome Version: 67.0.3396.62
OS: Linux

What steps will reproduce the problem?
(1) Create a file called "test🔒file.html".
(2) Open a new tab in Chrome.
(3) Drag and drop the file from the file explorer to the Chrome new tab page.

What is the expected result?
1. Opens the URL "file:///.../test%F0%9F%94%92file.html".
2. Correctly displays the file contents.

What happens instead?
1. Opens the URL "file:///.../test%25F0%259F%2594%2592file.html".
2. Shows ERR_FILE_NOT_FOUND.

Could be a Linux-only bug where it's being escaped once by the Linux drag-and-drop system and again by Chrome. It is correctly encoded if you double-click the file to open in Chrome.

Note that even if the file is correctly encoded (as in expected result step 1), it still shows ERR_FILE_NOT_FOUND, due to  Issue 585422 . This bug is just about getting the correct URL.

Comment 1 by mgiuca@chromium.org, Jun 6 2018 

Note: This problem is specific to non-URL-decoded characters, i.e., those that are blacklisted in https://cs.chromium.org/chromium/src/net/base/escape.cc?q=ShouldUnescapeCodePoint

Comment 2 by mgiuca@chromium.org, Jun 6 2018

Blocking: 849998

Comment 3 by yamaguchi@chromium.org, Jul 25

Cc: yamaguchi@chromium.org

Comment 4 by mgiuca@chromium.org, Sep 7

Cc: allanrobert@chromium.org
+allanrobert

Sign in to add a comment