Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox changing file names which contain '%' to an underscore (_) when saving files

  • 9 iimpendulo
  • 3 inale ngxaki
  • 1 view
  • Impendulo yokugqibela ngu hvhv

more options

Hi I'm running into an issue where I'm trying to save files while retaining their original filenames, but '%' characters are changed into an underscore when I try to save it. I've tested this with Google Chrome but it doesn't run into this issue. Is there a setting or workaround so that Firefox will leave the filenames alone?

Hi I'm running into an issue where I'm trying to save files while retaining their original filenames, but '%' characters are changed into an underscore when I try to save it. I've tested this with Google Chrome but it doesn't run into this issue. Is there a setting or workaround so that Firefox will leave the filenames alone?

Isisombulu esikhethiweyo

This is a high impact security fix that is not configurable.

CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.

CVE-2022-31739

Funda le mpendulo kwimeko leyo 👍 1

All Replies (9)

more options

I've included an image that shows what happens when I save a file with '%' characters in the filename.

The original file name is: [sound=https%3A%2F%2Ffiles.catbox.moe%2Fb5wg0l.mp3].gif

but when I save the file and choose a folder to save it to, the file is changed to: [sound=https_3A_2F_2Ffiles.catbox.moe_2Fb5wg0l.mp3].gif

more options

Can you share an example file link?

more options

zeroknight said

Can you share an example file link?

Sure, I've uploaded this image named 'test %%%' https://mega.nz/file/h5FkjKbZ#bd8IGj_tze7tuIxKrQIYUchnwe6bA5XR3gP2spbwe_Q

I tried saving it myself, and as shown in my attached image, it shows up as 'test ___' when saving the file.

Edit: Adding onto this, but I experience the same issue even when disabling all add-ons.

Ilungisiwe ngu hvhv

more options

Works for me. see screenshot What security software are your running?

more options

jonzn4SUSE said

Works for me. see screenshot What security software are your running?

I'm using Windows Defender. I tried reinstalling Firefox (without uninstalling in order to preserve my saved tabs, settings and addons) but the issue still persists.

Just in case it could help, I'll include my OS details: Microsoft Windows 10 Home x64, Version 10.0.19045 Build 19045

I created a secondary profile using about:profiles, and the issue isn't present in the new profile, so it has something to do with my settings, but I'd rather not lose all my settings to fix this annoying issue.

Ilungisiwe ngu hvhv

more options

The "%" symbols are replaced for security reasons in the save dialog when you have "Always ask you where to save files" enabled . Do you have a specific use case for preserving them?

more options

zeroknight said

The "%" symbols are replaced for security reasons in the save dialog when you have "Always ask you where to save files" enabled . Do you have a specific use case for preserving them?

Wow, good to know. Is there a setting in about:config or someplace else where I can disable that security feature? I'd like to keep preserving '%' characters in filenames as I sometimes download files in which the % in the filename is necessary. I'd also like to be able to keep choosing where I save each individual file for organizational purposes.

more options

Isisombululo esiKhethiweyo

This is a high impact security fix that is not configurable.

CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.

CVE-2022-31739

more options

zeroknight said

This is a high impact security fix that is not configurable.
CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.

CVE-2022-31739

Thanks for linking the thread regarding the bug. I'm not familiar with what's being discussed or how the bug resolving process works, is the '%' changing into '_' a temporary solution or is the issue considered fully resolved? I'd like to know if the developers plan to actually fix it, instead of applying a band-aid solution.