No coding spaces when calling custom protocols may cause command injection
Categories
(Firefox :: Untriaged, defect)
Tracking
()
People
(Reporter: myemail-tmr, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Steps to reproduce:
In the Windows system, for example, if an application is registered with the myproto protocol, the browser can use myproto://xxx to start the program
You can refer to Microsoft documentation
https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa767914(v=vs.85)?redirectedfrom=MSDN
Avoid spaces, quotes, or backslashes in your URI
Quote the %1 in the registration ("%1" as written in the'alert' example registration)
However, avoidance doesn't completely solve the problem of quotes in the URI or a backslash at the end of the URI.
Usually %1 or "%1" is used, depending on the application
In the case of using %1, there is a command injection vulnerability when opening the link in firefox, because firefox does not encode spaces
<a href="myproto:xxx -somearg=cmd.exe">link</a>
Actual results:
No coding spaces, -somearg=cmd.exe is injected into the command line of the program
Expected results:
use url encode, [space] -> %20
Chrome will encode spaces, so there will be no command injection vulnerabilities
|
||
Updated•4 years ago
|
Can I see the details of the bug 1696685? I don’t currently have permission. Is this bug fixed?
|
||
Comment 4•4 years ago
|
||
It is not fixed.
|
||
Updated•2 years ago
|
Description
•