starred/floccus
1
0
Fork 0
mirror of https://github.com/floccusaddon/floccus.git synced 2026-04-26 06:35:59 +03:00
Code Issues 167 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1870] Does not verify content-length when chunked-encoding is used #1253

New issue
Closed
opened 2026-02-25 22:39:27 +03:00 by kerem · 2 comments
kerem commented 2026-02-25 22:39:27 +03:00
Owner
Copy link

Originally created by @serious-angel on GitHub (Feb 27, 2025).
Original GitHub issue: https://github.com/floccusaddon/floccus/issues/1870

Which version of floccus are you using?

5.4.4

How many bookmarks do you have, roughly?

34000+

Are you using other means to sync bookmarks in parallel to floccus?

No

Sync method

WebDAV

Which browser are you using? In case you are using the phone App, specify the Android or iOS version and device please.

129.0.6668.100

Which version of Nextcloud Bookmarks are you using? (if relevant)

No response

Which version of Nextcloud? (if relevant)

No response

What kind of WebDAV server are you using? (if relevant)

RClone

Describe the Bug

Due to the WebDav connection interrupted, Floccus got only partial XBEL file and merged it with the local browser. The browser extension then uploaded the local changes to the remote, and that resulted in all the bookmarks across all the devices to annihilate the ~13600 bookmarks from all the clients with this extension installed.

That happened the moment I have been reviewing backups and the storage for months now, and if not the backup of 2024, I would lose all of them. Apparently, only ~5000 was gone, yet I have no idea what are those now.

I have no idea why not implement something like size verification via PROPFIND for such crucially important data people collect for years and trust your solutions also donating you money for it.

Not just that, but when I donated, I thought it will stop requesting for the donation regularly, but then I see the following, proving that no one cares:

github.com/floccusaddon/floccus@e116e861d5/src/lib/browser/BrowserController.js (L126-L132)

It's the second time it removes my bookmarks, but you removed my issue from the issue tracker (sorry, https://github.com/floccusaddon/floccus/issues/1697) I reported in ~2024 regarding XML parsing, where HTML title value parsing issues caused the XML to get malformed, you then fixed with: https://github.com/floccusaddon/floccus/commit/995a53b1b1cfc0aadb9203345ace49cf0baa1c9b

Image

'Will remember you deleted my reported issue from your repository.
'Will not recommend it to anyone anymore.
'Regret I donated to lose my history.
'Deleted the extension and I appreciate you for it, the work and effort, but won't return back.

Stay safe.

Expected Behavior

Do not disrespectfully delete someone's history.

To Reproduce

Use Floccus.

Debug log provided

  • I have provided a debug log file
Originally created by @serious-angel on GitHub (Feb 27, 2025). Original GitHub issue: https://github.com/floccusaddon/floccus/issues/1870 ### Which version of floccus are you using? 5.4.4 ### How many bookmarks do you have, roughly? 34000+ ### Are you using other means to sync bookmarks in parallel to floccus? No ### Sync method WebDAV ### Which browser are you using? In case you are using the phone App, specify the Android or iOS version and device please. 129.0.6668.100 ### Which version of Nextcloud Bookmarks are you using? (if relevant) _No response_ ### Which version of Nextcloud? (if relevant) _No response_ ### What kind of WebDAV server are you using? (if relevant) RClone ### Describe the Bug Due to the WebDav connection interrupted, Floccus got only partial XBEL file and merged it with the local browser. The browser extension then uploaded the local changes to the remote, and that resulted in all the bookmarks across all the devices to annihilate the `~13600` bookmarks from all the clients with this extension installed. That happened the moment I have been reviewing backups and the storage for months now, and if not the backup of 2024, I would lose all of them. Apparently, only ~5000 was gone, yet I have no idea what are those now. I have no idea why not implement something like size verification via [PROPFIND](<http://www.webdav.org/specs/rfc2518.html#METHOD_PROPFIND>) for such crucially important data people collect for years and trust your solutions also donating you money for it. Not just that, but when I donated, I thought it will stop requesting for the donation regularly, but then I see the following, proving that no one cares: https://github.com/floccusaddon/floccus/blob/e116e861d57770a78ffb984d51a32d69e6c73dc5/src/lib/browser/BrowserController.js#L126-L132 It's the second time it removes my bookmarks, ~~but you removed my issue from the issue tracker~~ (sorry, https://github.com/floccusaddon/floccus/issues/1697) I reported in ~2024 regarding XML parsing, where HTML `title` value parsing issues caused the XML to get malformed, you then fixed with: <https://github.com/floccusaddon/floccus/commit/995a53b1b1cfc0aadb9203345ace49cf0baa1c9b> --- ![Image](https://github.com/user-attachments/assets/34888187-f478-4692-892a-19dc6d6c78b2) --- ~'Will remember you deleted my reported issue from your repository.~ 'Will not recommend it to anyone anymore. 'Regret I donated to lose my history. 'Deleted the extension and I appreciate you for it, the work and effort, but won't return back. Stay safe. ### Expected Behavior Do not disrespectfully delete someone's history. ### To Reproduce Use Floccus. ### Debug log provided - [ ] I have provided a debug log file
kerem 2026-02-25 22:39:27 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-25 22:39:28 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Feb 27, 2025):

Hello 👋

Thank you for taking the time to open this issue with floccus. I know it's frustrating when software
causes problems. You have made the right choice to come here and open an issue to make sure your problem gets looked at
and if possible solved.
I'm Marcel and I created floccus a few years ago, maintaining it ever since. I currently work for Nextcloud
which leaves me with less time for side projects like this one than I used to have.
I still try to answer all issues and if possible fix all bugs here, but it sometimes takes a while until I get to it.
Until then, please be patient.
Note also that GitHub is a place where people meet to make software better together. Nobody here is under any obligation
to help you, solve your problems or deliver on any expectations or demands you may have, but if enough people come together we can
collaborate to make this software better. For everyone.
Thus, if you can, you could also have a look at other issues to see whether you can help other people with your knowledge
and experience. If you have coding experience it would also be awesome if you could step up to dive into the code and
try to fix the odd bug yourself. Everyone will be thankful for extra helping hands!
To continue the development and maintenance of this project in a sustainable way I ask that you donate to the project when opening an issue
(or at least once your issue is solved), if you're not a donor already.
You can find donation options at https://floccus.org/donate/. Thank you!

One last word: If you feel, at any point, like you need to vent, this is not the place for it; you can go to the Nextcloud forum,
to twitter or somewhere else. But this is a technical issue tracker, so please make sure to
focus on the tech and keep your opinions to yourself.

I look forward to working with you on this issue
Cheers 💙

<!-- gh-comment-id:2687651309 --> @github-actions[bot] commented on GitHub (Feb 27, 2025): Hello :wave: Thank you for taking the time to open this issue with floccus. I know it's frustrating when software causes problems. You have made the right choice to come here and open an issue to make sure your problem gets looked at and if possible solved. I'm Marcel and I created floccus a few years ago, maintaining it ever since. I currently work for Nextcloud which leaves me with less time for side projects like this one than I used to have. I still try to answer all issues and if possible fix all bugs here, but it sometimes takes a while until I get to it. Until then, please be patient. Note also that GitHub is a place where people meet to make software better *together*. Nobody here is under any obligation to help you, solve your problems or deliver on any expectations or demands you may have, but if enough people come together we can collaborate to make this software better. For everyone. Thus, if you can, you could also have a look at other issues to see whether you can help other people with your knowledge and experience. If you have coding experience it would also be awesome if you could step up to dive into the code and try to fix the odd bug yourself. Everyone will be thankful for extra helping hands! To continue the development and maintenance of this project in a sustainable way I ask that you donate to the project when opening an issue (or at least once your issue is solved), if you're not a donor already. You can find donation options at <https://floccus.org/donate/>. Thank you! One last word: If you feel, at any point, like you need to vent, this is not the place for it; you can go to the Nextcloud forum, to twitter or somewhere else. But this is a technical issue tracker, so please make sure to focus on the tech and keep your opinions to yourself. I look forward to working with you on this issue Cheers :blue_heart:
kerem commented 2026-02-25 22:39:28 +03:00
Author
Owner
Copy link

@marcelklehr commented on GitHub (Feb 27, 2025):

Hello @serious-angel

first up, I'm truly sorry this happened to you. I do intend to do good with the software I develop, but there is never a guarantee that it does not contain bugs. I do care, though. It also affects me when things go wrong, believe me.

Secondly, I never deleted your issue from last year, I only closed it. Here it is: https://github.com/floccusaddon/floccus/issues/1697

Thirdly, yes, I regularly ask for donations because I think it's fair to ask for something in return for the time I spent on developing this. I cannot prevent the "ask for donations" page from showing for people that already donated, because I believe in privacy and don't want to track people in any way. I'm grateful for your donation, I do care.

Fourthly, coming to the technical side of this issue: Usually the browser will verify the content length of responses on its own, which is why I didn't implement any size verification so far. However, I now found out that if and only if chunked encoding is used for the response, the browser has no way of knowing how long the data to download is and if the response is cut off without the browser knowing ... here we are.

Know this: I will fix the issue, I'm sad to have disappointed a user.

Warm regards,
Marcel

<!-- gh-comment-id:2688563678 --> @marcelklehr commented on GitHub (Feb 27, 2025): Hello @serious-angel first up, I'm truly sorry this happened to you. I do intend to do good with the software I develop, but there is never a guarantee that it does not contain bugs. I do care, though. It also affects me when things go wrong, believe me. Secondly, I never deleted your issue from last year, I only closed it. Here it is: https://github.com/floccusaddon/floccus/issues/1697 Thirdly, yes, I regularly ask for donations because I think it's fair to ask for something in return for the time I spent on developing this. I cannot prevent the "ask for donations" page from showing for people that already donated, because I believe in privacy and don't want to track people in any way. I'm grateful for your donation, I do care. Fourthly, coming to the technical side of this issue: Usually the browser will verify the content length of responses on its own, which is why I didn't implement any size verification so far. However, I now found out that if and only if chunked encoding is used for the response, the browser has no way of knowing how long the data to download is and if the response is cut off without the browser knowing ... here we are. Know this: I will fix the issue, I'm sad to have disappointed a user. Warm regards, Marcel
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/fast-xml-parser-5.7.0
dependabot/npm_and_yarn/xmldom/xmldom-0.8.13
dependabot/npm_and_yarn/protocol-buffers-schema-3.6.1
master
fix/xml-entity-limit
all-contributors/add-aaryanvangari
fix/subscanner-residuals
test/subscanner-residuals
test/problematic-seeds
perf/improve-build-time
perf/native-startup
fix/continuation-null-cheks
dropbox
fix/clear-indexeddb-after-sync
dependabot/npm_and_yarn/vuetify-3.11.4
fix/slim-down-continuation
test/background-worker
refactor/fail-build-if-native-uses-browser-api
feat/improve-failsafe-wording
dependabot/npm_and_yarn/multi-0520f5abeb
feat/release-build
fix/more-mapping-errors
dependabot/npm_and_yarn/intl-messageformat-10.7.18
enh/split-sync-interval-and-auto-sync
enh/gdrive-timeout
feat/safari
feat/capabilities
feat/xxhash3
feat/murmur3
fix/gdrive-error-handling
fix/correctness-fixes
fix/linkwarden
feat/orion
fix/nocache-tests
feat/tab-groups
fix/git-never-force-push
fix/xbel-parse-errors
fix/git-push-errors
fix/chrome-main-folder-ids
dependabot/npm_and_yarn/multi-a9f852c250
chore/use-local-linkwarden-container-in-ci
all-contributors/add-balthanon
dependabot/npm_and_yarn/multi-7c5da94753
fix/revert-indexeddb-logger
fix/acknowlegde-abuse
dependabot/npm_and_yarn/eslint-import-resolver-webpack-0.13.10
fix/rip-out-continuations
fix/webdav-filesize-depth-header
fix/changes-while-syncing
fix/addition-failsafe-minimum
feat/indexeddb-logs
feat/addition-failsafe
fix/webdav-check-filesize
fix/orion
fix/bounded-exponential-backoff
fix/dont-repeat-on-sync-fail
fix-tests
fix/speedup-tab-update-cb
all-contributors/add-andybalaam
all-contributors/add-macrogreg
fix/parse-tag-value
fix/cleanup-deps
refactor/partial-set-data-with-lock
fix/nc-bookmarks-update
fix/move-stabiltiy-same-titled-folders
fix/ios-share-extension
fix/update-selenium
fix/chrome-net-errors
enh/nc-bm-js
sentry
fix/unidirectional-scanner-shoudl-use-mappings
enh/interrupts
dependabot/npm_and_yarn/vue-loader-17.4.2
ci/build-ios
enh/manifest-v3
release/4.19.0
fix/codeql
fix/google-drive-ios
all-contributors/add-dmotte
fix/unidirectional-sync
fix/interrupts
all-contributors/add-pinpontitit
all-contributors/add-dsiminiuk
test/old-apis
test/interrupts-on-nextcloud-bookmarks
feature/no-hashing-in-diff
feature/improve-diff-performance
capacitor
enh/rename-nextcloud-folders
fix/complex-hierarchy-reversal-2
tests/coverage
feature/google-drive
dependabot/npm_and_yarn/eslint-plugin-vue-7.6.0
fix/crypto
dependabot/npm_and_yarn/sass-1.32.7
dependabot/npm_and_yarn/css-loader-5.0.2
dependabot/npm_and_yarn/webpack-cli-4.5.0
fix/performance-hash-caching
dependabot/npm_and_yarn/eslint-plugin-standard-5.0.0
dependabot/npm_and_yarn/sass-loader-10.1.1
dependabot/npm_and_yarn/eslint-import-resolver-webpack-0.13.0
dependabot/npm_and_yarn/webpack-merge-5.7.3
dependabot/npm_and_yarn/p-queue-6.6.2
dependabot/npm_and_yarn/throttle-debounce-3.0.1
fix/lww-move-test
fix/overwrite-strategy
fix/root-folder-sync
enh/local-hash-cash
test/ci
ui/vue
cookie-hack
fix/travis
rollup
refactor/ui
webdav
refactor/modularize
v5.9.1
v5.9.0
v5.8.6
v5.8.5
v5.8.4
v5.8.3
v5.8.2
v5.8.1
v5.8.0
v5.7.0
v5.6.0
v5.5.6
v5.5.5
v5.5.4
v5.5.3
v5.5.2
v5.5.1
v5.5.0
v5.4.5
v5.4.4
v5.4.3
v5.4.2
v5.4.2-alpha.1
v5.4.1
v5.4.0
v5.3.4
v5.3.3
v5.3.1
v5.3.0
v5.3.0-beta.1
v5.2.7
v5.2.6
v5.2.5
v5.2.4
v5.2.3
v5.2.2
v5.2.1
v5.2.0
v5.2.0-beta.3
v5.2.0-beta.2
v5.2.0-beta.1
v5.1.7
v5.1.6
v5.1.5
v5.1.4
v5.1.3
5.1.3-beta.1
v5.1.2
v5.1.1
v5.1.0
v5.0.12
v5.0.12-beta.1
v5.0.11
v5.0.10
v5.0.9
v5.0.8
v5.0.7
v5.0.6
v5.0.5
v5.0.4
v5.0.3
v5.0.2
v5.0.1
v5.0.0
v4.19.1
v4.19.0
v4.18.1
v4.18.0
v4.17.1
v4.17.0
v4.16.0
v4.15.0
v4.14.0
v4.13.1
v4.13.0
v4.12.0
v4.11.0
v4.11.0-alpha.0
v4.10.1
v4.10.0
v4.9.0
v4.8.7
v4.8.6
v4.8.4
v4.8.3
v4.8.2
v4.8.1
v4.8.0
v4.7.0
v4.6.4
v4.6.3
v4.6.2
v4.6.1
v4.6.0
v4.5.0
v4.4.10
v4.4.9
v4.4.8
v4.4.7
v4.4.6
v4.4.5
v4.4.4
v4.4.3
v4.4.2
v4.4.1
v4.4.0
v4.4.0-rc1
v4.3.0
v4.2.6
v4.2.5
v4.2.4
v4.2.3
v4.2.2
v4.2.1
v4.2.0
v4.2.0-beta.4
v4.2.0-beta.3
v4.2.0-beta.2
v4.2.0-beta.1
v4.1.0
v4.0.4
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v4
v4.0.0-alpha.3
v4.0.0-alpha.2
v4.0.0-alpha.1
v3.5.3
v3.5.2
v3.5.1
v3.5.0
v3.4.2
v3.4.1
v3.4.0
v3.4.0-beta.3
v3.4.0-beta.2
v3.4.0-beta.1
v3.3.2
v3.3.1
v3.3.0
v3.3.0-beta.5
v3.3.0-beta.4
v3.3.0-beta.3
v3.3.0-beta.2
v3.3.0-beta.1
v3.2.16
v3.2.15
v3.2.14
v3.2.13
v3.2.12
v3.2.11
v3.2.10
v3.2.9
v3.2.8
v3.2.7
v3.2.6
v3.2.5
v3.2.4
v3.2.3
v3.2.2
v3.2.1
v3.2.0
v3.1.15
v3.1.14
v3.1.13
v3.1.12
v3.1.11
v3.1.10
v3.1.9
v3.1.8
v3.1.7
v3.1.6
v3.1.5
v3.1.4
v3.1.3
v3.1.2
v3.1.1
v3.1.0
v3.0.10
v3.0.9
v3.0.8
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v3.0.0-beta.9
v3.0.0-beta.8
v3.0.0-beta.7
v2.2.9
v3.0.0-beta.6
v3.0.0-beta.5
v3.0.0-beta.4
v3.0.0-beta.3
v3.0.0-beta.2
v3.0.0-beta-1
v3.0.0-alpha-1
v2.2.8
v2.2.7
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.0
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v2.0.0-beta.2
v1.3.4
v2.0.0-beta.1
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.3.0-beta.5
v1.3.0-beta.4
v1.3.0-beta.3
v1.3.0-beta.2
v1.3.0-beta1
v1.2.0
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
Labels
Clear labels   
browser-specific

   
bug

   
correctness issues

   
enhancement

   
feature: Google Drive

   
feature: Linkwarden

   
feature: git

   
feature: nextcloud-bookmarks

   
feature: tabs

   
feature: webdav

   
help wanted

   
native-app

   
priority: high

   
priority: low

   
priority: medium

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
stale

   
upstream

   
waiting for more information

   
wontfix

   
🙁 Not following issue template
No labels
browser-specific
bug
correctness issues
enhancement
feature: Google Drive
feature: Linkwarden
feature: git
feature: nextcloud-bookmarks
feature: tabs
feature: webdav
help wanted
native-app
priority: high
priority: low
priority: medium
pull-request
question
question
stale
upstream
waiting for more information
wontfix
🙁 Not following issue template
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/floccus#1253
No description provided.