Last Comment Bug 307185 - URLs passed on the command line are parsed by the shell (bash).
: URLs passed on the command line are parsed by the shell (bash).
: fixed-aviary1.0.7, fixed1.7.12, fixed1.8
Product: Core Graveyard
Classification: Graveyard
Component: Cmd-line Features (show other bugs)
: Trunk
: x86 Linux
: -- major with 1 vote (vote)
: ---
Assigned To: Tuukka Tolvanen (sp3000)
Depends on:
Blocks: 238710
  Show dependency treegraph
Reported: 2005-09-06 02:06 PDT by peterzelezny
Modified: 2009-05-04 15:28 PDT (History)
10 users (show)
dveditz: blocking1.7.12+
dveditz: blocking‑aviary1.0.7+
dveditz: blocking1.8b5+
dveditz: blocking1.9a1+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---

patch1: rearrange argument list (firefox only) (1000 bytes, patch)
2005-09-06 08:38 PDT, Tuukka Tolvanen (sp3000)
no flags Details | Diff | Splinter Review
patch2: all apps (8.73 KB, patch)
2005-09-07 15:09 PDT, Tuukka Tolvanen (sp3000)
benjamin: review+
Details | Diff | Splinter Review
aviary101 patch1 (6.50 KB, patch)
2005-09-12 14:28 PDT, Tuukka Tolvanen (sp3000)
dbaron: approval‑aviary1.0.7+
Details | Diff | Splinter Review
mozilla17 patch1 (7.14 KB, patch)
2005-09-12 14:29 PDT, Tuukka Tolvanen (sp3000)
dbaron: approval1.7.12+
Details | Diff | Splinter Review
trunk patch2.1 (8.78 KB, patch)
2005-09-12 14:37 PDT, Tuukka Tolvanen (sp3000)
tuukka.tolvanen: review+
bryner: superreview+
dbaron: approval1.8b5+
Details | Diff | Splinter Review

Description peterzelezny 2005-09-06 02:06:11 PDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Galeon/1.3.21
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720

URLs passed on the command line e.g firefox <url> seem to be fed into the shell
(bash). This makes it pariticularly hard to reliably pass URLs to firefox from
external programs. Mozilla 1.7.10 (1.5.1-FC4) doesn't seem to be affected.

using: firefox-1.0.6-1.1.fc4

Reproducible: Always

Steps to Reproduce:
1. cd /
2. mozilla http://local\`find\`host (works fine, gives DNS error)
3. firefox http://local\`find\`host (executes find!)

Actual Results:  
The URLs backticks were parsed.
Comment 1 Tuukka Tolvanen (sp3000) 2005-09-06 03:44:48 PDT
confirmed firefox MOZILLA_1_8 2005-09-01-14Z and suite 1.8b1
Comment 2 Tuukka Tolvanen (sp3000) 2005-09-06 06:47:58 PDT
    while [ $# -gt 0 ]
      case "$1" in
          moreargs="$moreargs \"$1\""
    eval "set -- $moreargs"

The words in the string passed to eval for the non-option arguments to 'set'
need to be quoted. Putting double quote characters around something is not
quoting; double quotes quote very little. Putting single quotes around it and
substituting '\'' for each ' in the content would do, I think. A perhaps pretter
way would be to not construct a eval-able argument array string at all, but
instead work by rearranging options in the positional options array directly, so
no manual quoting is necessary.
Comment 3 Tuukka Tolvanen (sp3000) 2005-09-06 08:38:35 PDT
Created attachment 195012 [details] [diff] [review]
patch1: rearrange argument list (firefox only) so. This would need to be done for the other instances of,
too, of course...
Comment 4 hikaru1 2005-09-07 04:25:09 PDT
To demonstrate this problem with mozilla 1.7.10 it's a little more difficult
beacause the output of the command winds up going into the URL address bar.

try loading http://local`df`host - you'll wind up with the output going into the
URL bar, along with mozilla freaking about lots of things being invalid urls.

Just wanted to point out this problem is affecting both firefox and mozilla.
Comment 5 Tuukka Tolvanen (sp3000) 2005-09-07 15:09:06 PDT
Created attachment 195185 [details] [diff] [review]
patch2: all apps

here's a patch for all instances of $moreargs juggling that lxr found -- who
all does it need review from? I can't say I've tested all of these, but they
are rather identical.
Comment 6 peterzelezny 2005-09-09 20:48:19 PDT
What is the next release version this is likely to be included in?
Comment 7 Tuukka Tolvanen (sp3000) 2005-09-12 14:28:35 PDT
Created attachment 195796 [details] [diff] [review]
aviary101 patch1

...if needed
Comment 8 Tuukka Tolvanen (sp3000) 2005-09-12 14:29:03 PDT
Created attachment 195797 [details] [diff] [review]
mozilla17 patch1
Comment 9 Tuukka Tolvanen (sp3000) 2005-09-12 14:37:46 PDT
Created attachment 195798 [details] [diff] [review]
trunk patch2.1

left one stray 'moreargs=""' in trunk patch2. carrying over r=benjamin
Comment 10 David Baron :dbaron: ⌚️UTC-10 2005-09-20 13:58:30 PDT
Do those aviary1.0.1 and mozilla1.7 patch1s have the fix that's in trunk patch 2.1?
Comment 11 David Baron :dbaron: ⌚️UTC-10 2005-09-20 14:24:51 PDT
attachment 195797 [details] [diff] [review] landed on MOZILLA_1_7_BRANCH, 2005-09-20 14:08 -0700 (sorry
for forgetting to credit patch author in the checkin comment on this branch only).

attachment 195796 [details] [diff] [review] landed on AVIARY_1_0_1_20050124_BRANCH, 2005-09-20 14:10 -0700.

attachment 195798 [details] [diff] [review] landed on trunk, 2005-09-20 14:11 -0700.

attachment 195798 [details] [diff] [review] landed on MOZILLA_1_8_BRANCH, 2005-09-20 14:13 -0700.
Comment 12 Tuukka Tolvanen (sp3000) 2005-09-20 14:55:26 PDT
> Do those aviary1.0.1 and mozilla1.7 patch1s have the fix that's in trunk patch

they do.

> attachment 195797 [details] [diff] [review] [edit] landed on MOZILLA_1_7_BRANCH, 2005-09-20 14:08 -0700 

Comment 13 logan 2005-09-20 16:00:09 PDT
This also fixes bug 288378.
Comment 14 Juha-Matti Laurio 2005-09-20 16:05:35 PDT
This was published as public 'High Risk' advisory on 21th Sep '05.
Comment 15 Juha-Matti Laurio 2005-09-20 16:16:18 PDT
on 20th Sep 2005, via FrSIRT mailing list 21:07:33 GMT and at FrSIRT web site
Comment 16 Juha-Matti Laurio 2005-09-20 16:48:36 PDT
Secunia said 'Extremely critical' (i.e. 5/5)
Comment 17 Steven V. 2005-09-20 18:55:53 PDT
Idealy, input validation should be done with a white list of allowed characters.
For example, if the supplied argument does not match a regex of
[a-zA-Z0-9:/\.=&\? %]* prompt the user or die with grace. Just a thought.
Comment 18 Christian :Biesinger (don't email me, ping me on IRC) 2005-09-21 05:53:45 PDT
that wouldn't work for IDN.
Comment 19 Tracy Walker [:tracy] 2005-09-21 10:45:08 PDT
verified with linux Mozilla 1.7.12 2005-09-20-17-1.7
Comment 20 Jesse Ruderman 2005-09-21 20:04:32 PDT
See also bug 309551, same bug on Windows (with Cygwin).
Comment 21 Arthur 2005-09-22 11:01:08 PDT
Don't forget that this affects TB as well. FF and the suite have been released
with the fixes. And is several
months out of date.
Comment 22 Juha-Matti Laurio 2005-09-22 16:53:21 PDT
All SA16869, SA16846 and SA16901 advisories were rated as Extremely Critical.
CVE id for this issue is .
Comment 23 Marcia Knous [:marcia - use ni] 2005-09-24 16:05:45 PDT
I will verify that this is fixed in Tbird 1.0.7 on Monday when I have access to
a Linux machine.

(In reply to comment #21)
> Don't forget that this affects TB as well. FF and the suite have been released
> with the fixes. And
> is several
> months out of date.

Comment 24 Marcia Knous [:marcia - use ni] 2005-09-26 18:15:19 PDT
Verified on Linux using Thunderbird build 20050923-15
Comment 25 Ceki Gulcu 2005-10-31 12:23:51 PST
After installing FF 1.0.7 a few days ago, we noticed a problem which occurs with FF 1.0.7 (Linux platform) but not with FF 1.0.1 (Linux platform) not FF 1.0 (Windows XP).

We have a web-application which uses the GET method to fill a form. The application can be found at

When the user starts playing, he or she will interact with our application with the a URL of the following form:;jsessionid=aAn3pQQOk69b?showCandidates=true&asString=1.586....8.9.2...7.3.4..21.9..3...2..81...53..7...6..1.17..4.\

However, with FF 1.0.7 the URL is somehow transformed to:\

The value for "asString" paramater becomes "123" instead of a much
longer (and correct) value.

As noted above, we are observing this problem only with FF 1.0.7 and
not with any other browser we have access to.

Note You need to log in before you can comment on or make changes to this bug.