Closed
Bug 1430964
Opened 7 years ago
Closed 7 years ago
FirefoxURL regex check in browser/components/nsBrowserContentHandler.js should be case-insensitive
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
FIXED
Firefox 59
Tracking | Status | |
---|---|---|
firefox59 | --- | fixed |
People
(Reporter: francois.lajeunesse.robert, Assigned: Gijs)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20180103231032
Steps to reproduce:
In line 649 of nsBrowserContentHandler.js thereis a validation to prevent Firefox opening URL from certain command line. I assume that this is to prevent third party application from using the OS protocol handler to open harmfull resources in Firefox.
Still that validation could be bypass since the check is performed in a case sensitive matter while URI specification mention that scheme are case insensitive (see https://tools.ietf.org/html/rfc3986#section-3.1).
REMARK:
- I currently flagged it as security because it's a validation bypass. Still yet, I'm not aware of any exploit for that bypass.
Actual results:
From the command prompt executing the following command "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -osint -url "FirefoxURL://?url=test" will cause Firefox to access the ressource "FirefoxURL://?url=test" as shown in the attached firefoxurl.png image.
The command correspond to it associated with Windows protocol handler. That being said, the Windows protocol handler seems (at least in Windows 7 and 10) to transform the scheme in lowercase prior to executing the command registered in the URL Protocol handler.
Expected results:
The line of code :
if (cmdLine.length != urlFlagIdx + 2 || /firefoxurl:/.test(urlParam))
should be modified to :
if (cmdLine.length != urlFlagIdx + 2 || /firefoxurl:/i.test(urlParam))
to avoid relying on a third party behavior to effectively apply the intented validation.
Assignee | ||
Comment 1•7 years ago
|
||
(In reply to FLR from comment #0)
> In line 649 of nsBrowserContentHandler.js thereis a validation to prevent
> Firefox opening URL from certain command line. I assume that this is to
> prevent third party application from using the OS protocol handler to open
> harmfull resources in Firefox.
No, it's intended to junk stuff coming from IE which didn't filter/escape commandline parameters. See bug 384384.
Additionally, all the exploits there (now very old) have since been further mitigated by closing off various other bits of commandline handling code (so you can't run -chrome javascript:... stuff any more, for instance).
This isn't a security issue at this point, though the one-line patch to fix the regexp might as well be added, even if Windows does indeed lowercase everything anyway.
Group: firefox-core-security
Assignee | ||
Updated•7 years ago
|
Summary: FirefoxURL validation bypass in gecko/browser/components/nsBrowserContentHandler.js line 649 → FirefoxURL regex check in browser/components/nsBrowserContentHandler.js should be case-insensitive
Comment hidden (mozreview-request) |
Comment 3•7 years ago
|
||
mozreview-review |
Comment on attachment 8943199 [details]
Bug 1430964 - ignore `firefoxurl` commandline junk no matter its case,
https://reviewboard.mozilla.org/r/213554/#review219278
Attachment #8943199 -
Flags: review?(florian) → review+
Pushed by gijskruitbosch@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/544743c411df
ignore `firefoxurl` commandline junk no matter its case, r=florian
Comment 5•7 years ago
|
||
bugherder |
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
status-firefox59:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 59
Updated•6 years ago
|
Assignee: nobody → gijskruitbosch+bugs
You need to log in
before you can comment on or make changes to this bug.
Description
•