Closed Bug 238710 Opened 21 years ago Closed 16 years ago

mozilla 1.7b interprets shell caracters in url when launched from command line

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: hules, Unassigned)

References

Details

Attachments

(1 file)

Patch for FireFox 0.8
3.10 KB, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20040130 Firebird/0.7 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316 try mozilla 'http://$hostname' or mozilla 'http://plop.org/$(xeyes)'. With 1.6, nothing is interpreted, with 1.7b, the url is replaced by the hostname, and xeyes is launched. Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: a potential security problem version 1.6 does not exhibit this problem. Firefox appears to have the same bug.
Darin, any idea who should look at this/what might have caused this?
This is surely a side-effect of something in our shell scripts that launch mozilla. Maybe mozilla-xremote-client is involved, or maybe this has something to do with the init.d changes?
I just tried a quick test with FireFox 0.8 on Solaris 2.8/SPARC (=/bin/sh is plain bourne shell, not bash): -- snip -- % export blabla=www.heise.de % ./firefox 'http://$blabla' % cat firefox | fgrep "init.d" % -- snip -- It seems that FireFox 0.8 suffers from the problem (and does not have the "init.d" framework AFAIK). Marking bug as CONFIRMED... ;-(
Status: UNCONFIRMED → NEW
Ever confirmed: true
Debug output (e.g. shell script running with "set -x") from FireFox 0.8 on Solaris 2.8/SPARC: -- snip -- % ./firefox 'http://$blabla' moz_libdir=/usr/local/lib/mozilla-1.6 MRE_HOME=/usr/local/lib/mre/mre-1.6 found=0 progname=./firefox + dirname ./firefox curdir=. run_moz=./run-mozilla.sh + test -x ./run-mozilla.sh dist_bin=. found=1 + [ 1 = 0 ] script_args= moreargs= debugging=0 MOZILLA_BIN=firefox-bin + [ solaris = beos ] + [ 1 -gt 0 ] moreargs= "http://$blabla" + shift 1 + [ 0 -gt 0 ] + export MRE_HOME + eval set -- "http://$blabla" + set -- http://www.heise.de + [ 0 = 1 ] + exec ./run-mozilla.sh ./firefox-bin http://www.heise.de -- snip --
The following patch works around the problem: -- snip -- --- browser/app/mozilla.in 26 Jul 2003 07:51:05 -0000 1.2 +++ browser/app/mozilla.in 7 Apr 2004 20:07:20 -0000 @@ -66,41 +66,41 @@ fi if [ $found = 0 ]; then # Check default compile-time libdir if [ -x "$moz_libdir/run-mozilla.sh" ]; then dist_bin=$moz_libdir else echo "Cannot find mozilla runtime directory. Exiting." exit 1 fi fi script_args="" moreargs="" debugging=0 MOZILLA_BIN="mozilla-bin" if [ "$OSTYPE" = "beos" ]; then mimeset -F $MOZILLA_BIN fi -while [ $# -gt 0 ] +while false do case "$1" in -p | -pure) MOZILLA_BIN="mozilla-bin.pure" shift ;; -g | --debug) script_args="$script_args -g" debugging=1 shift ;; -d | --debugger) script_args="$script_args -d $2" shift 2 ;; *) moreargs="$moreargs \"$1\"" shift 1 ;; esac -- snip -- Later in the script is a "eval" statement: -- snip -- export MRE_HOME eval "set -- $moreargs" if [ $debugging = 1 ] then echo $dist_bin/run-mozilla.sh $script_args $dist_bin/$MOZILLA_BIN "$@" fi exec "$dist_bin/run-mozilla.sh" $script_args "$dist_bin/$MOZILLA_BIN" "$@" -- snip -- This can only go wrong that way... ;-(
The patch seems to solve the problem but I have to test it more extensively. I am still wondering why the script needs to override the content of the argument array (e.g. $@) at all - was there a special reason for that ?
Assignee: security-bugs → dveditz
QA Contact: toolkit
anyone know if is this still a problem?
I can't get this to repro in 2.0.0.17 or 3.0.3. I looked in the startup script for each and I don't see eval being used which appears to have caused the original issue.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
This appears to have been fixed by the patch in bug 307185
Assignee: dveditz → nobody
Depends on: 307185
Resolution: WORKSFORME → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: