Closed Bug 309551 Opened 15 years ago Closed 15 years ago
URLs passed on the command line are parsed by the shell (bash). with cygwin setup version 2
.510 .2 .2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 URLs passed on the command line are parsed by the shell (bash). with cygwin setup version 2.510.2.2, same as fixed linux bug Reproducible: Always
The Linux version of this bug was bug 307185.
This may be a stupid question, but, um, how? The Linux bug was because the commandline handler for Linux is a shell script, but since the Windows commandline handler is firefox.exe, how are you seeing URLs parsed by bash? Even if I run |firefox http://local\`find\`host| from a cygwin shell, I just get a Feeling Lucky search for local%60find%60host.
Tim, exact steps to reproduce?
stuff like http://google.com/search?q=$PATH works, the backquoting doesn't. However, this is seems to be what is getting passed to us by bash, so we can't exactly fix it. Nor is this really exploitable since we do not use any sort of bash script while being invoked. If you have a bash shell, and you paste in something bogus, you can hose your system with or without Firefox.
Marking invalid based on comments from Phil and Mike.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.