Bug#889476: /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.31: gtk_file_chooser auto completes when it shouldn't, can't select directory with one subdirectory

David Fries David at Fries.net
Sat Feb 3 18:18:40 UTC 2018 

Package: libgtk2.0-0
Version: 2.24.31-2
Severity: important
File: /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0.2400.31
Tags: upstream

Dear Maintainer,

>From chromium "Load unpacked extension..." it brought up what I assume
is the gtk file chooser.  Enable "Type a file name" then I put in the
directory to my extension (calling it /abs_path here).  It added a
slash at the end so now /abs_path/ , I pressed Enter, and I can see it
briefly flash on /abs_path/.git before the dialog closed, chromium
gives an error loading extension because it has the /abs_path/.git
path.

I gave it the correct path, it decided to auto complete something else
and not only that but to do so after accepting the path I gave it
doesn't give the user a chance to fix the program's wrong choice.

It will also auto complete to an invalid filename.  In chromimum
select a file to upload, do the "Type a file name" option, put in the
full path to a bunch of image files that all have the same first few
characters.  After putting in the path into the location I press
enter, any other file browser will go to that directory, this will
instead will provide the application with path/prefix where prefix is
the first few characters common to all the name files in that
directory.  The result is giving the application a file name that
doesn't exist.

Don't auto select a file, ever!  If you give the "Type a file name" a
directory that has only one file in it, and press enter, in the case
of uploading a browser file, it provides that file to the browser,
which uploads it, and the user has no chance to stop.  Browsers have
required a user to select the file for years to avoid uploading
security sensitive files.  In this case the user would have to
mindfully use a separate program to view that location to verify that
yes it is the file they wanted to upload.

-- System Information:
Debian Release: 9.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libgtk2.0-0:amd64 depends on:
ii  adwaita-icon-theme   3.22.0-1+deb9u1
ii  gnome-icon-theme     3.12.0-2
ii  hicolor-icon-theme   0.15-1
ii  libatk1.0-0          2.22.0-1
ii  libc6                2.24-11+deb9u1
ii  libcairo2            1.14.8-1
ii  libcups2             2.2.1-8
ii  libfontconfig1       2.11.0-6.7+b1
ii  libfreetype6         2.6.3-3.2
ii  libgdk-pixbuf2.0-0   2.36.5-2+deb9u2
ii  libglib2.0-0         2.50.3-2
ii  libgtk2.0-common     2.24.31-2
ii  libpango-1.0-0       1.40.5-1
ii  libpangocairo-1.0-0  1.40.5-1
ii  libpangoft2-1.0-0    1.40.5-1
ii  libx11-6             2:1.6.4-3
ii  libxcomposite1       1:0.4.4-2
ii  libxcursor1          1:1.1.14-1+deb9u1
ii  libxdamage1          1:1.1.4-2+b3
ii  libxext6             2:1.3.3-1+b2
ii  libxfixes3           1:5.0.3-1
ii  libxi6               2:1.7.9-1
ii  libxinerama1         2:1.1.3-1+b3
ii  libxrandr2           2:1.5.1-1
ii  libxrender1          1:0.9.10-1
ii  shared-mime-info     1.8-1

Versions of packages libgtk2.0-0:amd64 recommends:
ii  libgail-common  2.24.31-2
ii  libgtk2.0-bin   2.24.31-2

Versions of packages libgtk2.0-0:amd64 suggests:
ii  gvfs             1.30.4-1
ii  librsvg2-common  2.40.16-1+b1

-- no debconf information

More information about the pkg-gnome-maintainers mailing list