Package: libgtk2.0-0 Version: 2.24.31-2 Severity: important File: /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.31 Tags: upstream
Dear Maintainer, >From chromium "Load unpacked extension..." it brought up what I assume is the gtk file chooser. Enable "Type a file name" then I put in the directory to my extension (calling it /abs_path here). It added a slash at the end so now /abs_path/ , I pressed Enter, and I can see it briefly flash on /abs_path/.git before the dialog closed, chromium gives an error loading extension because it has the /abs_path/.git path. I gave it the correct path, it decided to auto complete something else and not only that but to do so after accepting the path I gave it doesn't give the user a chance to fix the program's wrong choice. It will also auto complete to an invalid filename. In chromimum select a file to upload, do the "Type a file name" option, put in the full path to a bunch of image files that all have the same first few characters. After putting in the path into the location I press enter, any other file browser will go to that directory, this will instead will provide the application with path/prefix where prefix is the first few characters common to all the name files in that directory. The result is giving the application a file name that doesn't exist. Don't auto select a file, ever! If you give the "Type a file name" a directory that has only one file in it, and press enter, in the case of uploading a browser file, it provides that file to the browser, which uploads it, and the user has no chance to stop. Browsers have required a user to select the file for years to avoid uploading security sensitive files. In this case the user would have to mindfully use a separate program to view that location to verify that yes it is the file they wanted to upload. -- System Information: Debian Release: 9.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libgtk2.0-0:amd64 depends on: ii adwaita-icon-theme 3.22.0-1+deb9u1 ii gnome-icon-theme 3.12.0-2 ii hicolor-icon-theme 0.15-1 ii libatk1.0-0 2.22.0-1 ii libc6 2.24-11+deb9u1 ii libcairo2 1.14.8-1 ii libcups2 2.2.1-8 ii libfontconfig1 2.11.0-6.7+b1 ii libfreetype6 2.6.3-3.2 ii libgdk-pixbuf2.0-0 2.36.5-2+deb9u2 ii libglib2.0-0 2.50.3-2 ii libgtk2.0-common 2.24.31-2 ii libpango-1.0-0 1.40.5-1 ii libpangocairo-1.0-0 1.40.5-1 ii libpangoft2-1.0-0 1.40.5-1 ii libx11-6 2:1.6.4-3 ii libxcomposite1 1:0.4.4-2 ii libxcursor1 1:1.1.14-1+deb9u1 ii libxdamage1 1:1.1.4-2+b3 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxi6 2:1.7.9-1 ii libxinerama1 2:1.1.3-1+b3 ii libxrandr2 2:1.5.1-1 ii libxrender1 1:0.9.10-1 ii shared-mime-info 1.8-1 Versions of packages libgtk2.0-0:amd64 recommends: ii libgail-common 2.24.31-2 ii libgtk2.0-bin 2.24.31-2 Versions of packages libgtk2.0-0:amd64 suggests: ii gvfs 1.30.4-1 ii librsvg2-common 2.40.16-1+b1 -- no debconf information
