1330178 - mailcap handling attempts to spawn a process from the child

Status: NEW

(Core :: Security: Process Sandboxing, defect, P3)

Description

[Blake Kaplan (:mrbkap) (inactive)]

While debugging bug 1303727, I found that at [1], it's possible for us to try to launch a process from a child process. We already block the attempt at [2], but theoretically, this could cause us to use the wrong mailcap entry to handle a filetype that we don't deal with internally.

This is probably a pretty low priority bug.

STR:
0.0 Have OpenOffice installed (I am on Ubuntu, if it matters).
0.1 Create a .odt file somewhere (I'll refer to it as ~/file.odt).
1. Open your home directory in Firefox.
2. Click on ~/file.odt.
3. Break in nsProcess::RunProcess in the child process.

My mailcap has:
application/vnd.oasis.opendocument.text; soffice --nologo --writer '%s'; edit=soffice --nologo --writer '%s'; print=soffice --nologo --writer -p '%s'; test=test -n "$DISPLAY"; description="OpenDocument Text Document"; nametemplate=%s.odt

Note the `test=...` bit, which causes the problem.

[1] http://searchfox.org/mozilla-central/rev/225ab0637ed51b8b3f9f4ee2f9c339a37a65b626/uriloader/exthandler/unix/nsOSHelperAppService.cpp#1091
[2] http://searchfox.org/mozilla-central/rev/225ab0637ed51b8b3f9f4ee2f9c339a37a65b626/xpcom/threads/nsProcessCommon.cpp#442-443

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

gcp, do we have a bug for this yet?

(See also: bug 1310116, bug 1309787, a few others, and especially bug 579388.)

Comment 2

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

…where by “this” I mean fixing things so that at least the extension <-> MIME type mapping works correctly in content.

Comment 3

[Gian-Carlo Pascutto [:gcp]]

I would have thought bug 579388. I also know bug 1292249 which is similar.

Comment 4

[Blake Kaplan (:mrbkap) (inactive)]

To be clear, this does work. Failing to launch the process causes us to ignore the 'test' field in the mailcap file. This bug is about us trying to launch that process at all. I would be very surprised if this causes actual user-visible problems.