New issue
Advanced search Search tips

Issue 869591 link

Starred by 1 user

Issue metadata

Status: Available
Owner: ----
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

At specific website after clicking a link, file is downloaded without any warning and after opened without any warning

Reported by vba...@gmail.com, Jul 31

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36

Steps to reproduce the problem:
1. Go to the: https://www21.atwiki.jp/botubotubotubotu/pages/28.html
2. Click link named "Ver.1.22"
3. The file is downloaded without any warning and after opened without any warning.

What is the expected behavior?
My web browser settings are to ask about where store the downloaded file.

What went wrong?
After clicking a link, the file is downloaded without any warning and after opened without any warning.

Did this work before? N/A 

Chrome version: 68.0.3440.84  Channel: stable
OS Version: 8.1
Flash Version: 

My web browser settings are to ask about where store the downloaded file and it always works so. But on that website, file (archive) is downloaded without asking where to store and after the archive is opened in Windows Explorer without any warning. 

The problem is in the link not on the page. If you just copy link and past in another window, the file will be downloaded without any warning and after opened without any warning.

Also, another link I found that behaves the same way: http://www36.atwiki.jp/mbfire/?cmd=upload&act=open&page=Photo%20stock&file=Fire%20Arrow_patch_1003_to_1004.zip

I think the problem is in link address which has "cmd=upload&act=open" in it.

Have not tested on other file types, like executables, but even with zip files that bug does not look safe.
 
Labels: Needs-Feedback
I'm having trouble reproducing this issue. Is there anything else you did except of setting up your Chrome browser to ask there to store each file after downloading?
I have looked at settings and there was option to open certain types of files automatically. I pressed "Clear" and now chrome asks to save as zip files. I realize that If I select "Always open this types of files" in downloaded file dialog that option appears in settings. So this is an issue.

Anyway it is quite easy to accidentally set to open file automatically which I think is dangerous and there should be some confirmation dialog or some other way to warn user what he is doing when setting this option.
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 1

Cc: mmoroz@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Components: UI>Browser>Downloads
Labels: Team-Security-UX OS-Chrome OS-Linux OS-Mac
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Thanks for the clarifications! Well, that seems to work as intended then. I'm removing this issue from the security queue but leaving open in case any other developers want to comment on that and consider adding a confirmation dialog.

Cc: -mmoroz@chromium.org
Status: Available (was: Unconfirmed)

Sign in to add a comment