514845 - 302 redirect to mailto: - View source executes mailto code

Status: NEW

(Toolkit :: View Source, defect)

Description

[L. Mohan Arun]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

In the URL given above, once you visit the page, the URL is 302 redirected to a mailto: so your default email client is supposed to open (in my case my outlook express opens). Problem is when you hit Ctrl+U to view source - it is not supposed to 'execute' the mailto: code when viewing source!

Reproducible: Always

Steps to Reproduce:
1. Go to URL
2. Default mail client opens; close it
3. View Source, watch default mail client open again - that means it is executing the mailto: again, when it is not supposed to.
Actual Results:  
Mailto: attached to email client opens.

Expected Results:  
View source should not trigger the opening of mailto: client.

Out of curiosity, I input
view-source:mailto: and hit Enter.
It does open mailto: email client. When I hit Ctrl+U it shows the source for about:blank (a minimal html template page) (which I thought was odd)
Then I input xxp:mailto: and hit Enter, it says it cant handle protocol 'xxp' (I just made 'xxp' up), so now I enter 
view-source:xxp:
and it says it cant handle the 'view-source:' protocol, when the more appropriate error message would be that it cant handle the 'xxp:' protocol or some other pertinent error message that 'xxp' is a wrong input, as view-source: is a supported protocol handler.
why doesnt it trigger an error when mailto: is preceded with view-source:? So that means, firefox is executing whatever comes AFTER the word view-source:, so on the same grounds, if I enter view-source:xxp:, it should try to execute xxp:, which is an unsupported protocol on most systems, so the error message should reflect the fact that xxp: is not a valid protocol...

Comment 1

[L. Mohan Arun]

I made two test cases:
http://www.coderidge.com/redtest.php
->This page sends a 302 redirect to update your twitter status, though not malicious, a misleadingly labeled link on a malicious site can 302 to twitter status update link (this works only if you are logged in to twitter using web interface in another tab) - a malicious site for example can do this to get visitors tweeting about their page without them knowing about it. On further thoughts, that site could also put a HTTP meta refresh redirecting a page to twitter status update screen, may be its the fault of twitter for allowing status updates via GET URLs?
http://www.coderidge.com/redtest2.php
(can possibly perceived as malicious if misused)
->This page 302's to skype: protocol, if you have skype installed and set to handle skype: protocol, then it brings up skype. May be 302's should be restricted by protocol? That is a HTTP 302 redirect shouldnt be able to redirect to a protocol other than HTTP?

Comment 2

[Kyle Huey (Exited; not receiving bugmail, old account, do not use)]

Confirming on Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2  I can't find anything in View Source to dupe this to though 

There are a lot of bad practices here.  For once, Twitter should not be using GET URLS to do things with side effects (that's against the spec).  That's not our problem though.

Second, we should probably prevent using view source: with protocols that don't make sense.  We already don't view-source javascript:, and should probably not do that for mailto: or anything else that goes to a third-party app.

Per RFC 2616 (HTTP 1.1) 302 redirects can go to any URI so this shouldn't be limited there.  The appropriate place to quash this is in view-source: