New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Closed: Aug 2011
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Prevent silent truncation of trailing characters in downloaded file names

Reported by, Jul 22 2011

Issue description

The attached file won't prompt you the typical "this file can potentially damage your computer"

Chrome Version: 14.0.825.0 dev-m
Operating System: Windows 7 - also works on windows xp

click the attached file

see bug/5067277 credit/reward should be given to
8 bytes View Download
to fix this I would suggest do as Firefox or as IE, which will encode or save the file with the char.

Comment 2 by, Jul 24 2011

Status: WontFix
Many file types are not prompted on download based on a few heuristics (user gesture, visited the site before today, etc.). 
Labels: -Restrict-View-SecurityTeam -Area-Undefined
You are right.


Comment 4 by, Jul 26 2011

Labels: SecSeverity-Low
Status: Assigned
The thing here is that CreateFile always truncates any trailing whitespace and period characters. In the scenario described it's not a security issue, but we really should account for that when we canonicalize the filename on Windows. I'm not sure where that code is, so this should be a fun starter bug for Ken.

Comment 5 by, Jul 27 2011

Labels: -Pri-0 Pri-3 Restrict-View-SecurityTeam

Comment 6 by, Jul 29 2011

Status: WontFix
The bug does not reproduce on beta, canary, or trunk. Visiting the link in comment 3 with an empty user data directory gives the harmful download prompt.

Comment 7 by, Aug 11 2011

hey Ken. The dialog prompt is expected on that link. 

I believe the issue is: if something like meh.exe%25C2%25A0 will be downloaded from Gmail, it won't prompt (due to various heuristics), but will be saved as meh.exe (trailing characters stripped). 

So we have the situation where Gmail allows the sending of attachment (since it's not a banned file), and Chrome happily downloads and converts it to an unsafe fie type without prompt.

Comment 8 by, Aug 11 2011

Adam, this bug was focused on where trailing characters might be stripped, potentially confusing the heuristic. With the Gmail case, is the behavior any different downloading meh.exe%25C2%25A0 compared to downloading meh.exe?

Comment 9 by, Aug 11 2011

Labels: OS-Windows
Status: Assigned
Summary: Prevent silent truncation of trailing characters in downloaded file names
Reopening. This was closed due to some confusion on what the actual bug was. Just to clarify, we need to fix the downloaded file canonicalization on Windows so it doesn't strip trailing whitespace and period characters.
Labels: Mstone-14 Area-Internals Feature-Downloads

Comment 12 by, Aug 18 2011

Adding Asanka to the cc line; he's working in the filename determination area within downloads.  Asanka, is the work you're doing relevant to this CL?

#9: We are stripping trailing whitespace and periods because of issues like this:

Or are you suggesting that we encode trailing whitespace and periods instead of stripping them?

Comment 16 by, Aug 19 2011

The patch I have written (and is awaiting code review) still strips those characters, but is now replacing them with hyphens to prevent obfuscation of .exe extensions.

I discussed the possibility of encoding them with jschuh, but we opted for hyphens because it is simpler and is consistent with existing treatment of illegal filename characters.
Sounds good.

Though you'll run into conflicts with

Comment 18 by, Aug 22 2011

Jschuh: The try not results look okay to me, are you okay to commit this cl?

Comment 19 by Deleted ...@, Aug 22 2011

I should not be getting these emails. 
Cc: -a deleted user
Project Member

Comment 21 by, Aug 25 2011

The following revision refers to this bug:

r98148 | | Wed Aug 24 16:58:19 PDT 2011

Changed paths:

Replace whitespace at beginning and end of file with hyphens, rather than silently discarding.

BUG= 90217 

Review URL:
Labels: -Restrict-View-SecurityTeam -Mstone-14 Restrict-View-SecurityNotify Mstone-15
Status: FixUnreleased
I think this is now fixed, Ken? Please re-open it if I've marked it as fixed in error :)
Labels: SecImpacts-Stable
Batch update.
@marc.novak: we'll credit you for this in our Chrome 15 release notes. Let me know if that's not ok, or if there's some particular credit line you'd prefer.
@scarybeasts : Thanks for the message, a credit would be great! Can you use
"Marc Novak" as the credit line. If there's hyperlink option on the credit
line, please use

Good work guys and thanks :)

p.s was the associated Gmail vulnerability reported under my correct email
address? I noticed that incorrect one was originally used on this thread.
Labels: CVE-2011-3876

Comment 27 by, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 28 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 29 by, Mar 10 2013

Labels: -Type-Security -SecSeverity-Low -Mstone-15 -Area-Internals -Feature-Downloads -SecImpacts-Stable Security-Severity-Low Cr-Internals Security-Impact-Stable M-15 Type-Bug-Security Cr-UI-Browser-Downloads
Project Member

Comment 30 by, Mar 13 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 31 by, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 33 by, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 34 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 35 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 36 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment