Windows 8 Metro Firefox Sec Review: review command execution handler


Security Assurance
5 years ago
5 years ago


(Reporter: curtisk, Assigned: dchan)



Action item from review to review the command execution handler
Priority: P4 → --

Comment 1

5 years ago
Jim: Where in the elm branch would I find the code for the command execution handler?

Is it under browser/metro or another directory?
Flags: needinfo?(jmathies)

Comment 3

5 years ago
Sorry for the delay :jimm,

I finally got around to looking at the CEH code and it looks okay to me.

My one comment is the handling of DX10 mode. The CEH checks the registry for a DX10 key, and falls back to feature detection if this key is not found. [1] There is a corner case where if the system changes, DX10 support may not align with the current hardware support, e.g. adding / removing video card / card drivers.

Links and URLs are only handled if Firefox is the default desktop / immersive browser. Desktop Firefox is executed with ShellExecute with the target exe and parameters individually set. This avoids possible command line injections. Metro browser requests go through IApplicationActivationManager to launch / handle the metro browser and its arguments. Injection isn't possible through this interface since you declare the target program through its app model id and arguments are passed as a separate string.

I'm going to close off this part of the review as RESOVLED

[1] -
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.