Firefox 127+ Downloaded Filenames Appended With Underscores In Some Circumstances
Problem: When exporting or downloading content from the GUI in the digital forensics tool Velociraptor, underscores are appended to the beginning and end of filenames. File is otherwise downloaded correctly, but removal of underscores necessary if original filename is desired. One hypothesis is that perhaps for security reasons there were changes made in Firefox 127 for how character escaping is performed.
Tested Operating Systems: Ubuntu 24.04, Windows 11 22H2, Windows 11 24H2, macOS Sonoma (14.5) Affected Firefox version(s): Confirmed 127.0, 127.0.1, 127.0.2 Tested Firefox versions which do not reproduce the behavior: 126.x, 125.x > Testing Microsoft Edge, Chromium, Google Chrome on Windows, macOS, Linux: files download with correct name as expected. Testing performed with clean installations on clean VMs with no add-ons enabled.
To reproduce: Download the latest release of Velociraptor from Github (at the time of this writing, 0.72.3) for preferred platform / operating system. Run Velociraptor using the gui switch, e.g. "$sudo velociraptor-v0.72.3-windows-amd64 gui" or "$ velociraptor-v0.72.3-windows-amd64.exe gui" Navigate to Server Artifacts and click the "+" icon at the top Search for Server.Utils.CreateMSI - select and press Launch Select the newly-created flow, click "Uploaded Files" tab and click vfs_path to download the file or, click the Notebook tab and click Download JSON or Download CSV buttons to download JSON or CSV respectively, underscores are appended to beginning and end of filenames.
All Replies (3)
Is Firefox sanitizing the filename?
What filename does the server send if you check the HTTP response headers in the Network Monitor?
Response Headers shows:
content-disposition attachment; filename*=utf-8""; filename=""
Looking at Response Headers in a version of Firefox such as 125, in which downloads are not appended with underscores, the response headers appear to be the same. Screenshot attached of Firefox 127.0.2 Response Headers
Thank you very much for your help.
Please see linked issue https://github.com/Velocidex/velociraptor/issues/3694 this is probably a documentation bug in MDN
Following the reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition shows that the `filename*` field must be encoded according to rfc5987 which shows an example:
https://datatracker.ietf.org/doc/html/rfc5987#section-3.2.2
```
foo: bar; title*=UTF-8%c2%a3%20and%20%e2%82%ac%20rates
```
So it does not include the quotes before and after. While the `filename` parameter should have the quotes:
``` Content-Disposition: attachment; filename="filename.jpg" ```
Yet from the very same MDN reference we have the following example:
``` Content-Disposition: inline Content-Disposition: attachment Content-Disposition: attachment; filename="filename.jpg" Content-Disposition: attachment; filename*="filename.jpg" ```
Which shows quotes around the `filename*` parameter.
So it seems that firefox started to be very literal in following the RFC and considers the quotes as part of the filename now which is why they are replaced with _ . However chrome is still flexible in allowing optional quotes around the `filename*` parameter.
I just tried removing the quotes from `filename*` on FireFox on Windows and this does solve the issue. Probably the MDN documentation should be updated though as well.