392240 - doesn't execute the commands in the url.

Status: RESOLVED WONTFIX

(Firefox :: General, defect)

Description

[Silent]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

When I click the URL (steam: "-applaunch 10 -console -game cstrike +password afk +connect 194.105.152.227:27015") I made in my websie, it launches Steam.exe but doesn't excute the commands after. It worked before the 2.0.0.6 update and it works on internet explorer.

Reproducible: Always

Steps to Reproduce:
1. Find another URL with this kind of commands or buy Counter-Strike 1.6...
2. Click the URL
3. Wait for the start of the application
Actual Results:  
The application starts but the command arn't executed.

Expected Results:  
Execute steam:%20%22-applaunch%2010%20-console%-game%20cstrike%20+pasword%20afk%20+connect%20194.105.152.227:27015%22 instead of steam: "-applaunch 10 -console -game cstrike +password afk +connect 194.105.152.227:27015"

Comment 1

[Jesse Ruderman]

It looks like you're use the double-quote character to trick the combination of (Firefox, Windows, and Steam) into treating steam: URLs (intended to be used for things described at http://developer.valvesoftware.com/wiki/The_steam://_Protocol) as a series of separate command-line arguments.  This is exactly the kind of abuse that causes security holes for many programs (perhaps including Steam?) and the reason we changed the URI escaping behavior in Firefox 2.0.0.6.  See http://www.mozilla.org/security/announce/2007/mfsa2007-27.html.

Comment 2

[Andrew Cook]

I'm a year and a half too late, but There Is A Better Way:

steam://connect/194.105.152.227:27015/afk

Simple, doesn't violate security constraints, and is even prominently mentioned on the very page that describes Steam URIs in the first place.