-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Fri, Feb 23, 2024 at 02:34:27AM +0000, Qubes OS Users Mailing List wrote:
> Just realized I sent this as "reply" instead of "reply all". Sorry for
> the spam, Ulrich, but I want to make sure this is visible to others who
> might have a similar problem.
>
> I think the problem is that the URL doesn't end up getting quoted on the
> other end. When this is sent:
>
> [quote="Ulrich_Windl1, post:3, topic:24602"]
> #!/bin/bash
> qvm-run-vm '$dispvm' /bin/firefox "$1"
> [/quote]
>
> The VM will end up getting the URL value with no quotes, because the
> quotes in that script are only for the local bash interpreter, not sent
> to `qvm-run-vm`. The whole expression is quoted in the exec line, but
> bash will interpret the line so the ampersand causes a background
> process to start instead of being incorporated in the URL.
>
> I'm not sure if this is a problem in `qvm-run-vm`. Some people might
> want to take advantage of the shell interpretation. And since the caller
> is able to run any arbitrary shell command anyway, problems like leaking
> environment variables aren't particularly relevant (they have permission
> to see that if they have permission to run arbitrary commands, and
> output is returned to the caller by design).
>
> I would guess that updating the `run-vm-firefox` command to quote the
> URL within the double-quotes will fix it. [Also note that the `$` is
> deprecated, as described in this
> article](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/#security-in-symbols).
>
> The new symbol is `@`; I have only used in in policy files, but I assume
> that it will work here too so long as you are running 4.1 or newer. So
> the new file would look like this:
>
> ```bash
> #!/bin/bash
> qvm-run-vm '@dispvm' /bin/firefox "'$1'"
> ```
I suggest escaping single quotes in the $1 and adding a "--" before it.
This prevents command injection attacks via a malicious URL.
So the result might be
```bash
#!/bin/bash --
exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'"
```
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmXYFjsACgkQsoi1X/+c
IsHcAhAApDWk48QftzKO5NKdrpelrUZLJ0whO4VK98wW4aONFGyE2UpyTcfD+Nyu
wPmrdFcsyb1s1aR4T+9LRKnRe+cdad5ik7p9eDwbMEl1VKqCE5wZOiYqmOhiQ/XY
RRjVNSlHiiuRhbIWGmZDQcZ5H6pOfxud0UwcxGoJ5mjoe8RezEaxQ/Keibx25mKQ
uYK9WxNsk0ih7hIcaLeyCMxMwwZJmiDVP4dIfw121xh/IhrZfJ9gGBwKYLUqBl0u
esz3igOu91Yz8eFODscUC5rwPoXUgdOOEpmi+I7GH7Mz2ORgg+GXgGOfPf6+gi90
DMcDCbBXR9vcLVC4OlOe6vy/KQ7YxXqJe2V7m5snmYVibDmJshBPB7gop9ZeW3gr
8JpY3/WKPgFaxtPANi+wtrZ2LhJjMiPH3B+2MHZwaHTDADExw+t9F4NqXCTwj8gO
qH2z9d6tTJtDDQ+fC47xPwGfhkMHaxiEGysvmFYMfH4rCaWcRrRQpz1u0A4U1YEz
wAFbtkoE6SEL7bCchcN0Ey/T4x38MWJw6u3oIRvhwGpn1VOOMnl9bQSU6EHbImy3
Cb3eg94BZIo9wkNOp7VPxiHxav1dgFJXpGy/U2J687wtmgsnImSpRqh8H+lmxsix
pWl/ulZRt0EE7Y44Oo7BYJIqtPr5s+8yr8NsxM2QmAZ4nAdCH1E=
=CD88
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ZdgWO-3Ykm_f4bUE%40itl-email.
