Open Bug 1754415 Opened 3 years ago Updated 3 years ago

Command lines options interpreted after "--"

Categories

(Toolkit :: Startup and Profile System, defect)

Product:
Toolkit
Component:
Startup and Profile System
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: manikulin, Unassigned)

References

Details

Steps to reproduce:

Command line options parser in thunderbird does not stop interpreting options when it meets double dash --, a separator between options and arguments. Well behaving application and utilities consider everything after -- as files, URLs, search arguments, etc. even when such arguments starts with dash. For URL handlers it may ensure that improperly encoded URI from another buggy application can not modify behavior of the handler (thunderbird in this case). It is discussed e.g. in https://parsiya.net/blog/2021-03-17-attack-surface-analysis-part-2-custom-protocol-handlers/#the--- "Attack Surface Analysis - Part 2 - Custom Protocol Handlers"

Example:

thunderbird-98.0a1/thunderbird -- --no-remote

Actual results:

--no-remote option has effect, -- is just ignored.

Expected results:

  1. Everything after -- is not considered as options, they are arguments. If such argument is meaningless than an error is reported.
  2. Such separator is used in script wrappers, desktop files, etc.

We use the toolkit. So what toolkit does, we do.

Component: Untriaged → Startup and Profile System
Product: Thunderbird → Toolkit
Version: Thunderbird 98 → unspecified

The severity field is not set for this bug.
:mossop, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dtownsend)
Severity: -- → S4
Flags: needinfo?(dtownsend)

My request in some sense is similar to an old security issue Bug #384384 that caused introducing of -osint option on windows.

Originally I filed this bug for thunderbird. For firefox consider following examples of options that I would like to deactivate by -- for a case of some bugs with processing of URI handler at desktop level. Linux offers a lot of variants for X sessions, some are real desktop environments, some are rather minimalistic.

  • When firefox is not running: https://example.com --remote-debugging-port 0.0.0.0:9222
  • When firefox is already running an attack is more tricky and requires two steps: https://example.com -CreateProfile bug and next time https://example.com -P bug --remote-debugging-port 0.0.0.0:9222. Even just launching browser with new clean profile may be undesirable since users may adjust profiles to suppress trackers, install various extensions for security reasons (noScript, uMatrix).
See Also: → 1755454
You need to log in before you can comment on or make changes to this bug.