Bug#172436: Security concerns regarding browser proposal

To: Matt Zimmerman <mdz@debian.org>, 172436@bugs.debian.org
Subject: Bug#172436: Security concerns regarding browser proposal
From: Jakob Bohm <jbj@image.dk>
Date: Mon, 4 Aug 2003 08:15:57 +0200
Message-id: <[🔎] 20030804061556.GC22959@jbj2.jbj.homelinux.com>
Reply-to: Jakob Bohm <jbj@image.dk>, 172436@bugs.debian.org
In-reply-to: <[🔎] 20030803234843.GR24128@alcor.net>
References: <[🔎] 20030803234843.GR24128@alcor.net>

On Sun, Aug 03, 2003 at 07:48:43PM -0400, Matt Zimmerman wrote:
> It might be a good idea to specify how quoting should be handled, both for
> shell metacharacters and format specifiers.
> 
> >From the existing text, it seems that "command part" means "shell command
> part", and it is impossible to implement this securely without specifying a
> scheme for handling shell metacharacters.  See, for example, the recent xpdf
> discussions, where the URL-handling command could be exploited by a URL
> containing metacharacters if it did not quote the argument.  Even if the
> command includes quotes around a substitution variable such as %s, the
> caller MUST quote any quote characters in the URL itself in order to be
> secure.
> 
> The semantics for %s and %% so closely match printf that they beg to be
> implemented using printf itself.  This means that % characters also present
> a security risk through well-known format string attacks.
> 
> If we were starting from scratch, it would be simpler to address these
> concerns, but since we are trying to follow esr's proposal, it seems more
> complicated.  I consider the specification to be flawed if it does not
> address these security concerns.  The example given in esr's document:
> 
> BROWSER="netscape -raise -remote \"openURL(%s,new-window)\":lynx"
> 
> is easily exploited by a URL such as:
> 
> http://my.fun.site/";; echo Do bad things
> 
> (with a bit more cleverness it might be possible even to conceal the error
> message that would be generated)
> 

How about (sorry for the long line...)

   http://my.fun.site/,new-window);otherNetscapeFunction();openURL(http://my.fun.site/popup/

This is targeted at attacking the netscape / mozilla command
line parser, not the shell.  If this class of exploit can be
implemented, then it will be necessary to escape URLs anyway. 
The use of URL-escaping as per the HTTP protocol seems to be a
good solution, but I am not sure.
 

-- 
This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.

Reply to:

References:
- Bug#172436: Security concerns regarding browser proposal
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Bug#203650: Poor recommendation in dpkg-statoverride section
Next by Date: Bug#172436: Security concerns regarding browser proposal
Previous by thread: Bug#172436: Security concerns regarding browser proposal
Next by thread: Bug#191036: /run/ *not* shelved
Index(es):
- Date
- Thread