Closed Bug 1430964 Opened 3 years ago Closed 3 years ago

FirefoxURL regex check in browser/components/nsBrowserContentHandler.js should be case-insensitive

Categories

(Firefox :: Untriaged, defect)

57 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Firefox 59
Tracking Status
firefox59 --- fixed

People

(Reporter: francois.lajeunesse.robert, Assigned: Gijs)

Details

Attachments

(2 files)

Attached image firefoxurl.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20180103231032

Steps to reproduce:

In line 649 of nsBrowserContentHandler.js thereis a validation to prevent Firefox opening URL from certain command line. I assume that this is to prevent third party application from using the OS protocol handler to open harmfull resources in Firefox.

Still that validation could be bypass since the check is performed in a case sensitive matter while URI specification mention that scheme are case insensitive (see https://tools.ietf.org/html/rfc3986#section-3.1).

REMARK: 
 - I currently flagged it as security because it's a validation bypass. Still yet, I'm not aware of any exploit for that bypass.


Actual results:

From the command prompt executing the following command "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -osint -url "FirefoxURL://?url=test" will cause Firefox to access the ressource "FirefoxURL://?url=test" as shown in the attached firefoxurl.png image.

The command correspond to it associated with Windows protocol handler. That being said, the Windows protocol handler seems (at least in Windows 7 and 10) to transform the scheme in lowercase prior to executing the command registered in the URL Protocol handler.


Expected results:

The line of code :
  if (cmdLine.length != urlFlagIdx + 2 || /firefoxurl:/.test(urlParam))
should be modified to :
 if (cmdLine.length != urlFlagIdx + 2 || /firefoxurl:/i.test(urlParam))
to avoid relying on a third party behavior to effectively apply the intented validation.
(In reply to FLR from comment #0)
> In line 649 of nsBrowserContentHandler.js thereis a validation to prevent
> Firefox opening URL from certain command line. I assume that this is to
> prevent third party application from using the OS protocol handler to open
> harmfull resources in Firefox.

No, it's intended to junk stuff coming from IE which didn't filter/escape commandline parameters. See bug 384384.

Additionally, all the exploits there (now very old) have since been further mitigated by closing off various other bits of commandline handling code (so you can't run -chrome javascript:... stuff any more, for instance).

This isn't a security issue at this point, though the one-line patch to fix the regexp might as well be added, even if Windows does indeed lowercase everything anyway.
Group: firefox-core-security
Summary: FirefoxURL validation bypass in gecko/browser/components/nsBrowserContentHandler.js line 649 → FirefoxURL regex check in browser/components/nsBrowserContentHandler.js should be case-insensitive
Comment on attachment 8943199 [details]
Bug 1430964 - ignore `firefoxurl` commandline junk no matter its case,

https://reviewboard.mozilla.org/r/213554/#review219278
Attachment #8943199 - Flags: review?(florian) → review+
Pushed by gijskruitbosch@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/544743c411df
ignore `firefoxurl` commandline junk no matter its case, r=florian
https://hg.mozilla.org/mozilla-central/rev/544743c411df
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 59
Assignee: nobody → gijskruitbosch+bugs
You need to log in before you can comment on or make changes to this bug.