搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Firefox changing file names which contain '%' to an underscore (_) when saving files

  • 9 回覆
  • 3 有這個問題
  • 1 次檢視
  • 最近回覆由 hvhv

more options

Hi I'm running into an issue where I'm trying to save files while retaining their original filenames, but '%' characters are changed into an underscore when I try to save it. I've tested this with Google Chrome but it doesn't run into this issue. Is there a setting or workaround so that Firefox will leave the filenames alone?

Hi I'm running into an issue where I'm trying to save files while retaining their original filenames, but '%' characters are changed into an underscore when I try to save it. I've tested this with Google Chrome but it doesn't run into this issue. Is there a setting or workaround so that Firefox will leave the filenames alone?

被選擇的解決方法

This is a high impact security fix that is not configurable.

CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.

CVE-2022-31739

從原來的回覆中察看解決方案 👍 1

所有回覆 (9)

more options

I've included an image that shows what happens when I save a file with '%' characters in the filename.

The original file name is: [sound=https%3A%2F%2Ffiles.catbox.moe%2Fb5wg0l.mp3].gif

but when I save the file and choose a folder to save it to, the file is changed to: [sound=https_3A_2F_2Ffiles.catbox.moe_2Fb5wg0l.mp3].gif

more options

Can you share an example file link?

more options

zeroknight said

Can you share an example file link?

Sure, I've uploaded this image named 'test %%%' https://mega.nz/file/h5FkjKbZ#bd8IGj_tze7tuIxKrQIYUchnwe6bA5XR3gP2spbwe_Q

I tried saving it myself, and as shown in my attached image, it shows up as 'test ___' when saving the file.

Edit: Adding onto this, but I experience the same issue even when disabling all add-ons.

由 hvhv 於 修改

more options

Works for me. see screenshot What security software are your running?

more options

jonzn4SUSE said

Works for me. see screenshot What security software are your running?

I'm using Windows Defender. I tried reinstalling Firefox (without uninstalling in order to preserve my saved tabs, settings and addons) but the issue still persists.

Just in case it could help, I'll include my OS details: Microsoft Windows 10 Home x64, Version 10.0.19045 Build 19045

I created a secondary profile using about:profiles, and the issue isn't present in the new profile, so it has something to do with my settings, but I'd rather not lose all my settings to fix this annoying issue.

由 hvhv 於 修改

more options

The "%" symbols are replaced for security reasons in the save dialog when you have "Always ask you where to save files" enabled . Do you have a specific use case for preserving them?

more options

zeroknight said

The "%" symbols are replaced for security reasons in the save dialog when you have "Always ask you where to save files" enabled . Do you have a specific use case for preserving them?

Wow, good to know. Is there a setting in about:config or someplace else where I can disable that security feature? I'd like to keep preserving '%' characters in filenames as I sometimes download files in which the % in the filename is necessary. I'd also like to be able to keep choosing where I save each individual file for organizational purposes.

more options

選擇的解決方法

This is a high impact security fix that is not configurable.

CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.

CVE-2022-31739

more options

zeroknight said

This is a high impact security fix that is not configurable.
CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%. This bug only affects Firefox for Windows. Other operating systems are unaffected.

CVE-2022-31739

Thanks for linking the thread regarding the bug. I'm not familiar with what's being discussed or how the bug resolving process works, is the '%' changing into '_' a temporary solution or is the issue considered fully resolved? I'd like to know if the developers plan to actually fix it, instead of applying a band-aid solution.