Closed Bug 1430964 Opened 4 years ago Closed 4 years ago
URL regex check in browser/components/ns Browser Content Handler .js should be case-insensitive
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20180103231032 Steps to reproduce: In line 649 of nsBrowserContentHandler.js thereis a validation to prevent Firefox opening URL from certain command line. I assume that this is to prevent third party application from using the OS protocol handler to open harmfull resources in Firefox. Still that validation could be bypass since the check is performed in a case sensitive matter while URI specification mention that scheme are case insensitive (see https://tools.ietf.org/html/rfc3986#section-3.1). REMARK: - I currently flagged it as security because it's a validation bypass. Still yet, I'm not aware of any exploit for that bypass. Actual results: From the command prompt executing the following command "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -osint -url "FirefoxURL://?url=test" will cause Firefox to access the ressource "FirefoxURL://?url=test" as shown in the attached firefoxurl.png image. The command correspond to it associated with Windows protocol handler. That being said, the Windows protocol handler seems (at least in Windows 7 and 10) to transform the scheme in lowercase prior to executing the command registered in the URL Protocol handler. Expected results: The line of code : if (cmdLine.length != urlFlagIdx + 2 || /firefoxurl:/.test(urlParam)) should be modified to : if (cmdLine.length != urlFlagIdx + 2 || /firefoxurl:/i.test(urlParam)) to avoid relying on a third party behavior to effectively apply the intented validation.
Summary: FirefoxURL validation bypass in gecko/browser/components/nsBrowserContentHandler.js line 649 → FirefoxURL regex check in browser/components/nsBrowserContentHandler.js should be case-insensitive
Comment on attachment 8943199 [details] Bug 1430964 - ignore `firefoxurl` commandline junk no matter its case, https://reviewboard.mozilla.org/r/213554/#review219278
Attachment #8943199 - Flags: review?(florian) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/544743c411df ignore `firefoxurl` commandline junk no matter its case, r=florian
You need to log in before you can comment on or make changes to this bug.