Downloader writes file to $TMPDIR without consent
I'm using hardened tor browser a6. I expected it will not store metadata of my browser usage without consent. Under the general prefs I've said "always ask me where to save files". But I ran strace and saw it was saving to $TMPDIR while the directory selector popup was visible.
OK, I said "automatically download files from now on" on an earlier dialog but to me that implied "according to my settings", and if I say "ask me" I expect it to not write anywhere other than selected. My default "download" directory is symlinked to an encrypted filesystem, but that's not even where it went by default! (And note that because I've clicked "automatically" and told Firefox to always download rather than open, a site can cause this to happen automatically by sending me certain mimetypes.)
I guess I was clever because I'd pointed $TMPDIR to a tmpfs in anticipation of stuff like this (from other programs, ones that aren't security-focused), and of course my swap is encrypted with a random key. But Debian doesn't have it as a default configuration (yet?).
Please don't write anything to disk until a directory is selected. Until that's done, setting $TMPDIR to $XDG_RUNTIME_DIR/tbb/ in the startup script would reduce the risks (space usage could be a problem, and $XDG_RUNTIME_DIR might be unset if the user's not using systemd).