New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Closed: Aug 2011
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment
Prevent silent truncation of trailing characters in downloaded file names
Reported by, Jul 22 2011 Back to list
The attached file won't prompt you the typical "this file can potentially damage your computer"

Chrome Version: 14.0.825.0 dev-m
Operating System: Windows 7 - also works on windows xp

click the attached file

see bug/5067277 credit/reward should be given to
8 bytes View Download
to fix this I would suggest do as Firefox or as IE, which will encode or save the file with the char.
Comment 2 by, Jul 24 2011
Status: WontFix
Many file types are not prompted on download based on a few heuristics (user gesture, visited the site before today, etc.). 
Labels: -Restrict-View-SecurityTeam -Area-Undefined
You are right.

Comment 4 by, Jul 26 2011
Labels: SecSeverity-Low
Status: Assigned
The thing here is that CreateFile always truncates any trailing whitespace and period characters. In the scenario described it's not a security issue, but we really should account for that when we canonicalize the filename on Windows. I'm not sure where that code is, so this should be a fun starter bug for Ken.
Comment 5 by, Jul 27 2011
Labels: -Pri-0 Pri-3 Restrict-View-SecurityTeam
Comment 6 by, Jul 29 2011
Status: WontFix
The bug does not reproduce on beta, canary, or trunk. Visiting the link in comment 3 with an empty user data directory gives the harmful download prompt.
Comment 7 by, Aug 11 2011
hey Ken. The dialog prompt is expected on that link. 

I believe the issue is: if something like meh.exe%25C2%25A0 will be downloaded from Gmail, it won't prompt (due to various heuristics), but will be saved as meh.exe (trailing characters stripped). 

So we have the situation where Gmail allows the sending of attachment (since it's not a banned file), and Chrome happily downloads and converts it to an unsafe fie type without prompt.
Comment 8 by, Aug 11 2011
Adam, this bug was focused on where trailing characters might be stripped, potentially confusing the heuristic. With the Gmail case, is the behavior any different downloading meh.exe%25C2%25A0 compared to downloading meh.exe?
Comment 9 by, Aug 11 2011
Labels: OS-Windows
Status: Assigned
Summary: Prevent silent truncation of trailing characters in downloaded file names (was: NULL)
Reopening. This was closed due to some confusion on what the actual bug was. Just to clarify, we need to fix the downloaded file canonicalization on Windows so it doesn't strip trailing whitespace and period characters.
Labels: Mstone-14 Area-Internals Feature-Downloads
Comment 12 by, Aug 18 2011
Adding Asanka to the cc line; he's working in the filename determination area within downloads.  Asanka, is the work you're doing relevant to this CL?

#9: We are stripping trailing whitespace and periods because of issues like this:

Or are you suggesting that we encode trailing whitespace and periods instead of stripping them?

Comment 16 by, Aug 19 2011
The patch I have written (and is awaiting code review) still strips those characters, but is now replacing them with hyphens to prevent obfuscation of .exe extensions.

I discussed the possibility of encoding them with jschuh, but we opted for hyphens because it is simpler and is consistent with existing treatment of illegal filename characters.
Sounds good.

Though you'll run into conflicts with

Comment 18 by, Aug 22 2011
Jschuh: The try not results look okay to me, are you okay to commit this cl?
Comment 19 by Deleted ...@, Aug 22 2011
I should not be getting these emails. 
Cc: -a deleted user
Project Member Comment 21 by, Aug 25 2011
The following revision refers to this bug:

r98148 | | Wed Aug 24 16:58:19 PDT 2011

Changed paths:

Replace whitespace at beginning and end of file with hyphens, rather than silently discarding.

BUG= 90217 

Review URL:
Labels: -Restrict-View-SecurityTeam -Mstone-14 Restrict-View-SecurityNotify Mstone-15
Status: FixUnreleased
I think this is now fixed, Ken? Please re-open it if I've marked it as fixed in error :)
Labels: SecImpacts-Stable
Batch update.
@marc.novak: we'll credit you for this in our Chrome 15 release notes. Let me know if that's not ok, or if there's some particular credit line you'd prefer.
@scarybeasts : Thanks for the message, a credit would be great! Can you use
"Marc Novak" as the credit line. If there's hyperlink option on the credit
line, please use

Good work guys and thanks :)

p.s was the associated Gmail vulnerability reported under my correct email
address? I noticed that incorrect one was originally used on this thread.
Labels: CVE-2011-3876
Comment 27 by, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Project Member Comment 28 by, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 29 by, Mar 10 2013
Labels: -Type-Security -SecSeverity-Low -Mstone-15 -Area-Internals -Feature-Downloads -SecImpacts-Stable Security-Severity-Low Cr-Internals Security-Impact-Stable M-15 Type-Bug-Security Cr-UI-Browser-Downloads
Project Member Comment 30 by, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 31 by, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 33 by, Mar 21 2013
Labels: -Security-Severity-Low Security_Severity-Low
Project Member Comment 34 by, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 35 by, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member Comment 36 by, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment