© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
tbird specific change is not good enough. Firefox has the same exact issue; all it takes is to open attachments from your webmail account.
We do NOT want to obfuscate the filename. We've done that in the past, and users hate it. They want to find their files.
The right fix really is the restricted parent directory fix. If your temp dir (or otherwise download dir) is on a file system that does not support restricting permissions, you already lose because the attacker doesn't have to try to deal with filenames at all: just grab all the file data and analyze at leisure.