This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox 127+ Downloaded Filenames Appended With Underscores In Some Circumstances

  • 3 replies
  • 0 have this problem
  • 1 view
  • Last reply by Mike Cohen

more options

Problem: When exporting or downloading content from the GUI in the digital forensics tool Velociraptor, underscores are appended to the beginning and end of filenames. File is otherwise downloaded correctly, but removal of underscores necessary if original filename is desired. One hypothesis is that perhaps for security reasons there were changes made in Firefox 127 for how character escaping is performed.

Tested Operating Systems: Ubuntu 24.04, Windows 11 22H2, Windows 11 24H2, macOS Sonoma (14.5) Affected Firefox version(s): Confirmed 127.0, 127.0.1, 127.0.2 Tested Firefox versions which do not reproduce the behavior: 126.x, 125.x > Testing Microsoft Edge, Chromium, Google Chrome on Windows, macOS, Linux: files download with correct name as expected. Testing performed with clean installations on clean VMs with no add-ons enabled.

To reproduce: Download the latest release of Velociraptor from Github (at the time of this writing, 0.72.3) for preferred platform / operating system. Run Velociraptor using the gui switch, e.g. "$sudo velociraptor-v0.72.3-windows-amd64 gui" or "$ velociraptor-v0.72.3-windows-amd64.exe gui" Navigate to Server Artifacts and click the "+" icon at the top Search for Server.Utils.CreateMSI - select and press Launch Select the newly-created flow, click "Uploaded Files" tab and click vfs_path to download the file or, click the Notebook tab and click Download JSON or Download CSV buttons to download JSON or CSV respectively, underscores are appended to beginning and end of filenames.

Problem: When exporting or downloading content from the GUI in the digital forensics tool Velociraptor, underscores are appended to the beginning and end of filenames. File is otherwise downloaded correctly, but removal of underscores necessary if original filename is desired. One hypothesis is that perhaps for security reasons there were changes made in Firefox 127 for how character escaping is performed. Tested Operating Systems: Ubuntu 24.04, Windows 11 22H2, Windows 11 24H2, macOS Sonoma (14.5) Affected Firefox version(s): Confirmed 127.0, 127.0.1, 127.0.2 Tested Firefox versions which do not reproduce the behavior: 126.x, 125.x > Testing Microsoft Edge, Chromium, Google Chrome on Windows, macOS, Linux: files download with correct name as expected. Testing performed with clean installations on clean VMs with no add-ons enabled. To reproduce: Download the latest release of Velociraptor from Github (at the time of this writing, 0.72.3) for preferred platform / operating system. Run Velociraptor using the gui switch, e.g. "$sudo velociraptor-v0.72.3-windows-amd64 gui" or "$ velociraptor-v0.72.3-windows-amd64.exe gui" Navigate to Server Artifacts and click the "+" icon at the top Search for Server.Utils.CreateMSI - select and press Launch Select the newly-created flow, click "Uploaded Files" tab and click vfs_path to download the file or, click the Notebook tab and click Download JSON or Download CSV buttons to download JSON or CSV respectively, underscores are appended to beginning and end of filenames.
Attached screenshots

All Replies (3)

more options

Is Firefox sanitizing the filename?

What filename does the server send if you check the HTTP response headers in the Network Monitor?

Helpful?

more options

Response Headers shows:

content-disposition attachment; filename*=utf-8""; filename=""

Looking at Response Headers in a version of Firefox such as 125, in which downloads are not appended with underscores, the response headers appear to be the same. Screenshot attached of Firefox 127.0.2 Response Headers

Thank you very much for your help.

Helpful?

more options

Please see linked issue https://github.com/Velocidex/velociraptor/issues/3694 this is probably a documentation bug in MDN

Following the reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition shows that the `filename*` field must be encoded according to rfc5987 which shows an example:

https://datatracker.ietf.org/doc/html/rfc5987#section-3.2.2

```

  foo: bar; title*=UTF-8%c2%a3%20and%20%e2%82%ac%20rates

```

So it does not include the quotes before and after. While the `filename` parameter should have the quotes:

``` Content-Disposition: attachment; filename="filename.jpg" ```

Yet from the very same MDN reference we have the following example:

``` Content-Disposition: inline Content-Disposition: attachment Content-Disposition: attachment; filename="filename.jpg" Content-Disposition: attachment; filename*="filename.jpg" ```

Which shows quotes around the `filename*` parameter.

So it seems that firefox started to be very literal in following the RFC and considers the quotes as part of the filename now which is why they are replaced with _ . However chrome is still flexible in allowing optional quotes around the `filename*` parameter.

I just tried removing the quotes from `filename*` on FireFox on Windows and this does solve the issue. Probably the MDN documentation should be updated though as well.

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.