Hey, Mozilla: Quotes Are Not Legal in a URL

re: Hey, Mozilla: Quotes Are Not Legal in a URL

ortankal — Sat, 01 Nov 2008 20:18:55 GMT

I would like to see some cooperation between the different software companies, to think about solutions that benefits for everybody.

re: Hey, Mozilla: Quotes Are Not Legal in a URL

Reverend JAxON — Wed, 01 Aug 2007 13:34:20 GMT

you can pick exploder which is just about as exciting as the Taco Bell menu. Or - pick Firefx which is the mexican putting your Nachos Bell Grande together. At least homeboy can mix it up!

re: Hey, Mozilla: Quotes Are Not Legal in a URL

Pentiux — Tue, 31 Jul 2007 03:06:22 GMT

Outsmating each other.

Both have flaws, I think.

Let's see who fixes thier flaws first.

re: Hey, Mozilla: Quotes Are Not Legal in a URL

Toma Bussarov — Mon, 30 Jul 2007 06:55:34 GMT

Did anybody read the picture from Firefox?

Just below the scary url that is presented to the user is written:

...it may be an attempt to exloit a weekness in that other program ...

In the case of IE "that other program" is Firefox. No more searching whose fault it is. Mozilla confesses.

re: Hey, Mozilla: Quotes Are Not Legal in a URL

Sean — Fri, 27 Jul 2007 17:11:31 GMT

My feeling on the whole thing? A pox on both their houses for not looking out for the security interests of the end user. Both Microsoft and Mozilla failed in an extremely important concept, ALL INPUT FROM REMOTE SOURCES MUST BE SANITIZED BEFORE IT IS ACCEPTED FOR INPUT! Microsoft is vile for passing on unsantized data, and Firefox is vile for not sanitizing its input.

re: Hey, Mozilla: Quotes Are Not Legal in a URL

dabur — Fri, 27 Jul 2007 09:24:50 GMT

I'm responsible for security in my company. For me it doesn't matter if it's FF or IE or AOL or "WTF" with a vulnerability.... The only thing that matters is having a fix so I can start the system engineers doing the dsitribution of it on all our client and server systems.

I would like to see some cooperation between the different software companies, to think about solutions that benefits for everybody.

Maybe looking in RFC3986 again and optimize it?

Fact: Nobody is perfect. All software have vumnerabilities. It's a matter of when they are discovered.

Greetings.

re: Hey, Mozilla: Quotes Are Not Legal in a URL

paperino — Fri, 27 Jul 2007 05:24:52 GMT

@Muffin

I've never seen MS blame Turing for their bugs as Window Snyder just did.

re: Hey, Mozilla: Quotes Are Not Legal in a URL

aaaaa0 — Fri, 27 Jul 2007 03:50:37 GMT

punissuer:

In which case, firefox should define a new command line switch and register its protocol handler like this:

firefox -untrustedurl "%1"

Then regular users using -url would be free to combine it with other switches, while the URL protocol handler would only use the safe switch (which would do all of what Jesper suggests.

re: Hey, Mozilla: Quotes Are Not Legal in a URL

punissuer — Thu, 26 Jul 2007 20:58:59 GMT

How is the protocol handler more able than <i>whatever</i> populated argv and argc even to determine where a maliciously malformed URL begins and ends if the calling app has not relayed this information with quotes, and escaped quotes in the malformed URL? Skimming your blog, I found this statement which seems relevant:

<blockquote>It's vital for the protocol handler to see the "-url" argument as indication that everything following it is suspect. The first double-quote should not be taken as a sign that "%1" is over - the last double-quote before the end of the command line is that indicator.</blockquote>

I would agree with this statement completely if the -url argument were used only by programs calling Firefox as a protocol handler, so the command could have only the form 'firefox -url "%1"'. But users can type the -url arg into CMD.EXE by hand, and follow it with other args, so the assumption that it must be the last double quote that ends the URL is not valid.

Also, the calling browser could use the "known good" principle you mention on your blog while escaping the URL. Only characters which are not valid in URLs (like whitespace and double quotes) would be escaped, so a well formed URL would be unchanged. Who cares if a maliciously malformed URL gets mangled? The protocol handler should throw some kind of exception upon such input, anyway.

re: Hey, Mozilla: Quotes Are Not Legal in a URL

Alun Jones — Thu, 26 Jul 2007 19:48:50 GMT

You're right - details of how to parse the protocol are only available to code that knows something about the protocol, and clearly the protocol handler would have no more knowledge about the protocol than the C Run-time library (it's not the command line interpreter, which people typically use to mean CMD.EXE)

re: Hey, Mozilla: Quotes Are Not Legal in a URL

punissuer — Thu, 26 Jul 2007 19:21:46 GMT

Alun, I disagree with your characterization of the situation. The first browser (whether IE or Firefox) is indeed acting as a browser. It downloads, parses, and renders an HTML page. It identifies anchor tags and href attributes, whose values should be URLs. It's irrelevant whether the protocol handler is even aware of the network (file URLs, anyone?) since the problem occurs while it's validating its command-line input. As for validating the command line as a single string, how is the protocol handler in any better position than the command-line interpreter that populated argv and argc? Information about the original intent is lost when the calling browser fails to quote or escape the arguments.

re: Hey, Mozilla: Quotes Are Not Legal in a URL

multi_io — Thu, 26 Jul 2007 18:07:04 GMT

@Aaron Margosis

Yes it is issuing the command if you click on a link named something like <a href='firefoxurl://foo.com"%20-chrome%20"BLOCKED SCRIPTsomething()"'>, which is the whole point of the discussion!

(let's see how much of that text is left intact by the broken blog software on this server -- btw: is it any indication for MS's state of confusion when it comes to quoting issues that the server software here replaces every occurrence of "j a v a s c r i p t:something()" with "BLOCKED SCRIPT:something()"? :-P)

re: Hey, Mozilla: Quotes Are Not Legal in a URL

Alun Jones — Thu, 26 Jul 2007 15:47:38 GMT

@punissuer: If it's too difficult for you to spot malicious input using argc and argv, then you should stop using argc and argv. As Aaron pointed out, at any stage you can call GetCommandLine to get the command line as a single string and do your own parsing; you can also write your code as a Win32 app, rather than a console-mode app, and it will receive a single string containing the entire command line.

In this case, Internet Explorer is acting as a proxy, not a browser, and should behave that way; the protocol handler is acting as an Internet-facing client, and should behave that way. Asking that the proxy encode or decode stuff for you is not appropriate, because you will lose information about what the original intent was.

re: Hey, Mozilla: Quotes Are Not Legal in a URL

Ivan Magrini — Thu, 26 Jul 2007 09:49:04 GMT

To linuxuser: shame on you! I'm actually sick of this "MS is bad" "Linux/OSS is good" ... this is a technical discussion and Jesper's arguments are totaly OK.

As a software developer (no, I do not use MS development tools) I know, that you can never trust input passed to your app ... and therefore you should allways validate what your app is getting from the outside .... otherwise you are just a fool.

re: Hey, Mozilla: Quotes Are Not Legal in a URL

punissuer — Thu, 26 Jul 2007 07:00:19 GMT

As an argument for why web browsers should not perform any validation on arguments they pass to apps they call, I find David LeBlanc's insights far from convincing. If my "CriticalBusinessApp [needed] quotes coming in" when it was being called as an URL handler, I'd ask my programmers what they were smoking. Also, detecting malicious input is more difficult after it's been split into multiple arguments by the command line interpreter. For example, validating an arg that's supposed to be an URL will not detect that the following -chrome arg was supposed to be part of that URL.

If we were talking about general applications, I might agree more with LeBlanc, but we're talking about web browsers. There are rules that all web browsers are supposed to follow (like the spec for what is an URL), and so a browser has more context to determine what would obviously be invalid input for an external app. If what incoming HTML said was an URL does not look like an URL, then it would obviously be poison for any program that expected an URL, so it should be escaped, and quoted to prevent splitting or other misinterpretation by the command line interpreter.