搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Firefox 127+ Downloaded Filenames Appended With Underscores In Some Circumstances

  • 3 个回答
  • 0 人有此问题
  • 34 次查看
  • 最后回复者为 Mike Cohen

more options

Problem: When exporting or downloading content from the GUI in the digital forensics tool Velociraptor, underscores are appended to the beginning and end of filenames. File is otherwise downloaded correctly, but removal of underscores necessary if original filename is desired. One hypothesis is that perhaps for security reasons there were changes made in Firefox 127 for how character escaping is performed.

Tested Operating Systems: Ubuntu 24.04, Windows 11 22H2, Windows 11 24H2, macOS Sonoma (14.5) Affected Firefox version(s): Confirmed 127.0, 127.0.1, 127.0.2 Tested Firefox versions which do not reproduce the behavior: 126.x, 125.x > Testing Microsoft Edge, Chromium, Google Chrome on Windows, macOS, Linux: files download with correct name as expected. Testing performed with clean installations on clean VMs with no add-ons enabled.

To reproduce: Download the latest release of Velociraptor from Github (at the time of this writing, 0.72.3) for preferred platform / operating system. Run Velociraptor using the gui switch, e.g. "$sudo velociraptor-v0.72.3-windows-amd64 gui" or "$ velociraptor-v0.72.3-windows-amd64.exe gui" Navigate to Server Artifacts and click the "+" icon at the top Search for Server.Utils.CreateMSI - select and press Launch Select the newly-created flow, click "Uploaded Files" tab and click vfs_path to download the file or, click the Notebook tab and click Download JSON or Download CSV buttons to download JSON or CSV respectively, underscores are appended to beginning and end of filenames.

Problem: When exporting or downloading content from the GUI in the digital forensics tool Velociraptor, underscores are appended to the beginning and end of filenames. File is otherwise downloaded correctly, but removal of underscores necessary if original filename is desired. One hypothesis is that perhaps for security reasons there were changes made in Firefox 127 for how character escaping is performed. Tested Operating Systems: Ubuntu 24.04, Windows 11 22H2, Windows 11 24H2, macOS Sonoma (14.5) Affected Firefox version(s): Confirmed 127.0, 127.0.1, 127.0.2 Tested Firefox versions which do not reproduce the behavior: 126.x, 125.x > Testing Microsoft Edge, Chromium, Google Chrome on Windows, macOS, Linux: files download with correct name as expected. Testing performed with clean installations on clean VMs with no add-ons enabled. To reproduce: Download the latest release of Velociraptor from Github (at the time of this writing, 0.72.3) for preferred platform / operating system. Run Velociraptor using the gui switch, e.g. "$sudo velociraptor-v0.72.3-windows-amd64 gui" or "$ velociraptor-v0.72.3-windows-amd64.exe gui" Navigate to Server Artifacts and click the "+" icon at the top Search for Server.Utils.CreateMSI - select and press Launch Select the newly-created flow, click "Uploaded Files" tab and click vfs_path to download the file or, click the Notebook tab and click Download JSON or Download CSV buttons to download JSON or CSV respectively, underscores are appended to beginning and end of filenames.
已附加屏幕截图

所有回复 (3)

more options

Is Firefox sanitizing the filename?

What filename does the server send if you check the HTTP response headers in the Network Monitor?

more options

Response Headers shows:

content-disposition attachment; filename*=utf-8""; filename=""

Looking at Response Headers in a version of Firefox such as 125, in which downloads are not appended with underscores, the response headers appear to be the same. Screenshot attached of Firefox 127.0.2 Response Headers

Thank you very much for your help.

more options

Please see linked issue https://github.com/Velocidex/velociraptor/issues/3694 this is probably a documentation bug in MDN

Following the reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition shows that the `filename*` field must be encoded according to rfc5987 which shows an example:

https://datatracker.ietf.org/doc/html/rfc5987#section-3.2.2

```

  foo: bar; title*=UTF-8%c2%a3%20and%20%e2%82%ac%20rates

```

So it does not include the quotes before and after. While the `filename` parameter should have the quotes:

``` Content-Disposition: attachment; filename="filename.jpg" ```

Yet from the very same MDN reference we have the following example:

``` Content-Disposition: inline Content-Disposition: attachment Content-Disposition: attachment; filename="filename.jpg" Content-Disposition: attachment; filename*="filename.jpg" ```

Which shows quotes around the `filename*` parameter.

So it seems that firefox started to be very literal in following the RFC and considers the quotes as part of the filename now which is why they are replaced with _ . However chrome is still flexible in allowing optional quotes around the `filename*` parameter.

I just tried removing the quotes from `filename*` on FireFox on Windows and this does solve the issue. Probably the MDN documentation should be updated though as well.