Command lines options interpreted after "--"
Categories
(Toolkit :: Startup and Profile System, defect)
Tracking
()
People
(Reporter: manikulin, Unassigned)
References
Details
Steps to reproduce:
Command line options parser in thunderbird does not stop interpreting options when it meets double dash --
, a separator between options and arguments. Well behaving application and utilities consider everything after --
as files, URLs, search arguments, etc. even when such arguments starts with dash. For URL handlers it may ensure that improperly encoded URI from another buggy application can not modify behavior of the handler (thunderbird in this case). It is discussed e.g. in https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/#the--- "Attack Surface Analysis - Part 2 - Custom Protocol Handlers"
Example:
thunderbird-98.0a1/thunderbird -- --no-remote
Actual results:
--no-remote
option has effect, --
is just ignored.
Expected results:
- Everything after
--
is not considered as options, they are arguments. If such argument is meaningless than an error is reported. - Such separator is used in script wrappers, desktop files, etc.
Comment 1•3 years ago
|
||
We use the toolkit. So what toolkit does, we do.
Comment 2•3 years ago
|
||
The severity field is not set for this bug.
:mossop, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•3 years ago
|
My request in some sense is similar to an old security issue Bug #384384 that caused introducing of -osint
option on windows.
Originally I filed this bug for thunderbird. For firefox consider following examples of options that I would like to deactivate by --
for a case of some bugs with processing of URI handler at desktop level. Linux offers a lot of variants for X sessions, some are real desktop environments, some are rather minimalistic.
- When firefox is not running:
https://example.com --remote-debugging-port 0.0.0.0:9222
- When firefox is already running an attack is more tricky and requires two steps:
https://example.com -CreateProfile bug
and next timehttps://example.com -P bug --remote-debugging-port 0.0.0.0:9222
. Even just launching browser with new clean profile may be undesirable since users may adjust profiles to suppress trackers, install various extensions for security reasons (noScript, uMatrix).
Description
•