Ubuntu
firefox-3.0 package

Right click, "Save As" in firefox runs script instead of saving it

Bug #187736 reported by stairwayoflight
4
Affects Status Importance Assigned to Milestone
firefox-3.0 (Ubuntu)
Invalid
Low
Unassigned

Bug Description

Binary package hint: mozilla-firefox

Attempting to save a 'apt:' script with a 'Right click'->'Save As' operation causes the script to be run after selecting the save file and path from the dialog.

This happens with eg., the following url:
apt://ubuntustudio-desktop;apt:ubuntustudio-icon-theme;apt:ubuntustudio-look;apt:ubuntustudio-theme;apt:ubuntustudio-wallpapers;apt:usplash-theme-ubuntustudio

Either I am missing something or this operation should never run code; I was hesitant to run this script but in my attempt to download it, it ran anyways.

I have an up to date gutsy ubuntu-desktop installation, here is the Firefox version:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071204 Ubuntu/7.10 (gutsy) Firefox/2.0.0.11

Revision history for this message
Rolf Leggewie (r0lf) wrote :

Is that a clickable URL for you? Any extensions installed? For me, this is just text.

Rolf Leggewie (r0lf)
Changed in mozilla-firefox:
assignee: nobody → r0lf
status: New → Incomplete
Revision history for this message
stairwayoflight (stairwayoflight) wrote : Re: [Bug 187736] Re: Right click, "Save As" in firefox runs script instead of saving it
  • unnamed Edit (2.3 KiB, text/html; charset=ISO-8859-1)

Sorry Rolf,

That url appears on the following page:

http://www.ubuntu-unleashed.com/2007/12/1-click-install-ubuntu-studio-theme-in.html

I just clicked "copy link location" and pasted it. The issue I was having is
that I couldn't look at what was being executed before executing it. On
gutsy if I right click the one-click-install link as it appear in the above
mentioned page, then click "Save link as", it runs the associated ubuntu
program which attempts to install all the different parts.

I don't know if it is a security threat, but it doesn't make sense to me to
have it run a program when I try to save any content pointed to by the link.
My guess is they got firefox to pass the apt:// urls to ubuntu to install
the corresponding programs, instead of downloading the content and
displaying it. But a "Save link As" will normally cause the browser to
follow the link, and shoot the content to disk. I suppose when the browser
goes to download the content in the first part of a "Save link As"
operation, the download function defaults to invoking ubuntu to install the
stuff instead.

Whether or not I have a good grasp of whats happening, I don't believe this
should be the default behavior.

Regards,
Timothy

On Thu, May 29, 2008 at 5:50 AM, Rolf Leggewie <launchpad.net@
rolf.leggewie.biz> wrote:

> ** Changed in: firefox (Ubuntu)
> Sourcepackagename: mozilla-firefox => firefox
> Assignee: (unassigned) => Rolf Leggewie (r0lf)
> Status: New => Incomplete
>
> --
> Right click, "Save As" in firefox runs script instead of saving it
> https://bugs.launchpad.net/bugs/187736
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Revision history for this message
Rolf Leggewie (r0lf) wrote :

Thank you for reporting back.

Indeed, I can confirm this behaviour and I tend to agree that a script should not be automatically executed after "Save Link as". At least, the user is being asked, though, if the script should be run, so if anything this is a minor problem.

Changed in firefox:
assignee: r0lf → nobody
importance: Undecided → Low
status: Incomplete → Confirmed
Revision history for this message
John Vivirito (gnomefreak) wrote :

Rolf Leggewie wrote:
> Thank you for reporting back.
>
> Indeed, I can confirm this behaviour and I tend to agree that a script
> should not be automatically executed after "Save Link as". At least,
> the user is being asked, though, if the script should be run, so if
> anything this is a minor problem.
>
> ** Changed in: firefox-3.0 (Ubuntu)
> Sourcepackagename: firefox => firefox-3.0
> Importance: Undecided => Low
> Assignee: Rolf Leggewie (r0lf) => (unassigned)
> Status: Incomplete => Confirmed
>
 Alexander just told me this was fixed in firefox-3 and thunderbird 2 here is the convo pasted below.

> 08:05 < ubottu > Launchpad bug 175286 in mozilla-firefox "Feature
> request: save files read-only when invoking external
> viewers" [Undecided,New]
> https://launchpad.net/bugs/175286
> 08:08 < asac > gnomefreak: thats fixed in hardy
> 08:08 < asac > look at a changelog to infd the dupe
> 08:08 < gnomefreak > k
> 08:08 < gnomefreak > in FF3 or 2?
> 08:12 < gnomefreak > asac: im not seeing it
> https://edge.launchpad.net/ubuntu/+source/firefox-3.0
> nor in firefox source package
> 08:13 < asac > gnomefreak: no thats fixed in thunderb
> 08:13 < asac > irdf
> 08:13 < asac > firefox 3 has it fixed
> 08:13 < asac > ffox 2 wontfix
> 08:16 < gnomefreak > asac: firefox-3 fix was ours or upstreams?
> 08:17 < gnomefreak > fucking thunderbird feature is broken cant send
> unsent mails after turning it back online
> 08:18 < asac > gnomefreak: fffox 3 == fixed upstream
> 08:18 < asac > tbird 2 == fixed here
> 08:18 < asac > ffox 2 == wontfix
> 08:18 < gnomefreak > thanks

Closing bug report due to the above conversation.

--
Sincerely Yours,
    John Vivirito

https://launchpad.net/~gnomefreak
https://wiki.ubuntu.com/JohnVivirito
Linux User# 414246

Changed in firefox-3.0:
status: Confirmed → Invalid
Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 187736] Re: Right click, "Save As" in firefox runs script instead of saving it

On Wed, Jun 04, 2008 at 04:54:01AM -0000, stairwayoflight wrote:
> Sorry Rolf,
>
> That url appears on the following page:
>
> http://www.ubuntu-unleashed.com/2007/12/1-click-install-ubuntu-studio-
> theme-in.html
>
> I just clicked "copy link location" and pasted it. The issue I was having is
> that I couldn't look at what was being executed before executing it. On
> gutsy if I right click the one-click-install link as it appear in the above
> mentioned page, then click "Save link as", it runs the associated ubuntu
> program which attempts to install all the different parts.
>
> I don't know if it is a security threat, but it doesn't make sense to me to
> have it run a program when I try to save any content pointed to by the link.
> My guess is they got firefox to pass the apt:// urls to ubuntu to install
> the corresponding programs, instead of downloading the content and
> displaying it. But a "Save link As" will normally cause the browser to
> follow the link, and shoot the content to disk. I suppose when the browser
> goes to download the content in the first part of a "Save link As"
> operation, the download function defaults to invoking ubuntu to install the
> stuff instead.
>
> Whether or not I have a good grasp of whats happening, I don't believe this
> should be the default behavior.

can anyone reproduce this and provide a clear step-by-step instruction
on how to reproduce?

 status incomplete

 - Alexander

Changed in firefox-3.0:
status: Invalid → Incomplete
Revision history for this message
Jonathan Thomas (echidnaman) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in firefox-3.0:
status: Incomplete → Invalid
Revision history for this message
prasad_qx (prasad-qx) wrote :

I wish to report a similar problem of the script opening rather than opening of the "save" dialog box. Infact I am facing this problem with Firefox as well as Opera with Super OS 9.04

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.