Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Feb 23, 2024 at 02:34:27AM +, Qubes OS Users Mailing List wrote:
> Just realized I sent this as "reply" instead of "reply all". Sorry for
> the spam, Ulrich, but I want to make sure this is visible to others who
> might have a similar problem.
>
> I think the problem is that the URL doesn't end up getting quoted on the
> other end. When this is sent:
>
> [quote="Ulrich_Windl1, post:3, topic:24602"]
> #!/bin/bash
> qvm-run-vm '$dispvm' /bin/firefox "$1"
> [/quote]
>
> The VM will end up getting the URL value with no quotes, because the
> quotes in that script are only for the local bash interpreter, not sent
> to `qvm-run-vm`. The whole expression is quoted in the exec line, but
> bash will interpret the line so the ampersand causes a background
> process to start instead of being incorporated in the URL.
>
> I'm not sure if this is a problem in `qvm-run-vm`. Some people might
> want to take advantage of the shell interpretation. And since the caller
> is able to run any arbitrary shell command anyway, problems like leaking
> environment variables aren't particularly relevant (they have permission
> to see that if they have permission to run arbitrary commands, and
> output is returned to the caller by design).
>
> I would guess that updating the `run-vm-firefox` command to quote the
> URL within the double-quotes will fix it. [Also note that the `$` is
> deprecated, as described in this
> article](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/#security-in-symbols).
>
> The new symbol is `@`; I have only used in in policy files, but I assume
> that it will work here too so long as you are running 4.1 or newer. So
> the new file would look like this:
>
> ```bash
> #!/bin/bash
> qvm-run-vm '@dispvm' /bin/firefox "'$1'"
> ```
I suggest escaping single quotes in the $1 and adding a "--" before it.
This prevents command injection attacks via a malicious URL.
So the result might be
```bash
#!/bin/bash --
exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'"
```
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmXYFjsACgkQsoi1X/+c
IsHcAhAApDWk48QftzKO5NKdrpelrUZLJ0whO4VK98wW4aONFGyE2UpyTcfD+Nyu
wPmrdFcsyb1s1aR4T+9LRKnRe+cdad5ik7p9eDwbMEl1VKqCE5wZOiYqmOhiQ/XY
RRjVNSlHiiuRhbIWGmZDQcZ5H6pOfxud0UwcxGoJ5mjoe8RezEaxQ/Keibx25mKQ
uYK9WxNsk0ih7hIcaLeyCMxMwwZJmiDVP4dIfw121xh/IhrZfJ9gGBwKYLUqBl0u
esz3igOu91Yz8eFODscUC5rwPoXUgdOOEpmi+I7GH7Mz2ORgg+GXgGOfPf6+gi90
DMcDCbBXR9vcLVC4OlOe6vy/KQ7YxXqJe2V7m5snmYVibDmJshBPB7gop9ZeW3gr
8JpY3/WKPgFaxtPANi+wtrZ2LhJjMiPH3B+2MHZwaHTDADExw+t9F4NqXCTwj8gO
qH2z9d6tTJtDDQ+fC47xPwGfhkMHaxiEGysvmFYMfH4rCaWcRrRQpz1u0A4U1YEz
wAFbtkoE6SEL7bCchcN0Ey/T4x38MWJw6u3oIRvhwGpn1VOOMnl9bQSU6EHbImy3
Cb3eg94BZIo9wkNOp7VPxiHxav1dgFJXpGy/U2J687wtmgsnImSpRqh8H+lmxsix
pWl/ulZRt0EE7Y44Oo7BYJIqtPr5s+8yr8NsxM2QmAZ4nAdCH1E=
=CD88
-END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ZdgWO-3Ykm_f4bUE%40itl-email.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
Just realized I sent this as "reply" instead of "reply all". Sorry for the spam, Ulrich, but I want to make sure this is visible to others who might have a similar problem. I think the problem is that the URL doesn't end up getting quoted on the other end. When this is sent: [quote="Ulrich_Windl1, post:3, topic:24602"] #!/bin/bash qvm-run-vm '$dispvm' /bin/firefox "$1" [/quote] The VM will end up getting the URL value with no quotes, because the quotes in that script are only for the local bash interpreter, not sent to `qvm-run-vm`. The whole expression is quoted in the exec line, but bash will interpret the line so the ampersand causes a background process to start instead of being incorporated in the URL. I'm not sure if this is a problem in `qvm-run-vm`. Some people might want to take advantage of the shell interpretation. And since the caller is able to run any arbitrary shell command anyway, problems like leaking environment variables aren't particularly relevant (they have permission to see that if they have permission to run arbitrary commands, and output is returned to the caller by design). I would guess that updating the `run-vm-firefox` command to quote the URL within the double-quotes will fix it. [Also note that the `$` is deprecated, as described in this article](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/#security-in-symbols). The new symbol is `@`; I have only used in in policy files, but I assume that it will work here too so long as you are running 4.1 or newer. So the new file would look like this: ```bash #!/bin/bash qvm-run-vm '@dispvm' /bin/firefox "'$1'" ``` -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9bbcc208-8883-46c9-befe-788ed663553c%40protonmail.com.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
On Thu, 22 Feb 2024 22:19:21 +0100
Ulrich Windl wrote:
>On 2/22/24 22:15, Ulrich Windl wrote:
>> On 2/22/24 21:54, 'Stuart Perkins' via qubes-users wrote:
>>>
>>> On Thu, 22 Feb 2024 21:25:18 +0100
>>> Ulrich Windl wrote:
>>>
Hi!
I managed to configure Thunderbird to run any links via a DVM. However
today I realized that URLs with parameters are truncated (Qubes-OS 4.2)
after the first parameter it seem.
For example I have the URL
../viewtopic.php?f=21=196913=1023049=1023049
When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21
Unfortunately I have no idea how to debug or fix that.
Kind regards,
Ulrich
>>> Easy work around. Setup your "default browser" to be "open in vm".
>>>
>> I'm confused: The URL _is_ opened in a VM; the issue is that the URL
>> being passed in truncated after the first parameter it seems.
>>
>> https and https content type is redirected to a "run-vm-firefox" that
>> contains:
>>
>> #!/bin/bash
>> qvm-run-vm '$dispvm' /bin/firefox "$1"
>>
>> I would guess that qvm-run-vm has a quoting problem.
>>
>>
>> I see that qvm-run-vm passes the parameter correctly to
>> /usr/lib/qubes/qrun-in-vm.
>>
>> I don't know python, but these lines seems to have a problem:
>>
>> cmd = ' '.join(sys.argv[1:])
>> sys.stdout.write("exec bash -c '%s' || exit 127\n" % cmd.replace("'",
>> "'\\''"))
>>
>
>Here's my test result:
>
>$ sh -x /usr/bin/qvm-run-vm @dispvm
>"../viewtopic.php?f=21=196913=1023049=1023049"
>+ getopt -o htd --long help,no-gui,dispvm -n /usr/bin/qvm-run-vm --
>@dispvm ../viewtopic.php?f=21=196913=1023049=1023049
>+ OPTS= -- '@dispvm' '../viewtopic.php?f=21=196913=1023049=1023049'
>+ eval set -- -- '@dispvm'
>'../viewtopic.php?f=21=196913=1023049=1023049'
>+ set -- -- @dispvm ../viewtopic.php?f=21=196913=1023049=1023049
>+ [ 3 -gt 0 ]
>+ shift
>+ break
>+ [ != 1 ]
>+ [ 2 -lt 2 ]
>+ [ = 1 ]
>+ [ != 1 ]
>+ VMNAME=@dispvm
>+ shift
>+ service=qubes.VMShell
>+ [ != 1 ]
>+ service=qubes.VMShell+WaitForSession
>+ exec /usr/lib/qubes/qrexec-client-vm @dispvm
>qubes.VMShell+WaitForSession /usr/lib/qubes/qrun-in-vm
>./viewtopic.php?f=21=196913=1023049=1023049
>bash: line 1: ../viewtopic.php?f=21: No such file or directory
>
Presuming xfce4...
bash-5.2# pwd
/home/user/.config
bash-5.2# cat mimeapps.list
[Default Applications]
text/html=qvm-open-in-dvm.desktop
x-scheme-handler/http=qvm-open-in-dvm.desktop
x-scheme-handler/https=qvm-open-in-dvm.desktop
x-scheme-handler/about=qvm-open-in-dvm.desktop
x-scheme-handler/unknown=qvm-open-in-dvm.desktop
application/pdf=org.gnome.Evince.desktop
application/sql=org.gnome.TextEditor.desktop
[Added Associations]
text/plain=org.gnome.gedit.desktop;
application/pdf=gimp.desktop;pdfmod.desktop;org.gnome.Evince.desktop;
image/jpeg=gimp.desktop;display-im6.q16.desktop;
image/png=gimp.desktop;
application/sql=org.gnome.TextEditor.desktop;
bash-5.2#
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20240222174150.235b3f21%40yahoo.com.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
On 2/22/24 22:15, Ulrich Windl wrote:
On 2/22/24 21:54, 'Stuart Perkins' via qubes-users wrote:
On Thu, 22 Feb 2024 21:25:18 +0100
Ulrich Windl wrote:
Hi!
I managed to configure Thunderbird to run any links via a DVM. However
today I realized that URLs with parameters are truncated (Qubes-OS 4.2)
after the first parameter it seem.
For example I have the URL
../viewtopic.php?f=21=196913=1023049=1023049
When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21
Unfortunately I have no idea how to debug or fix that.
Kind regards,
Ulrich
Easy work around. Setup your "default browser" to be "open in vm".
I'm confused: The URL _is_ opened in a VM; the issue is that the URL
being passed in truncated after the first parameter it seems.
https and https content type is redirected to a "run-vm-firefox" that
contains:
#!/bin/bash
qvm-run-vm '$dispvm' /bin/firefox "$1"
I would guess that qvm-run-vm has a quoting problem.
I see that qvm-run-vm passes the parameter correctly to
/usr/lib/qubes/qrun-in-vm.
I don't know python, but these lines seems to have a problem:
cmd = ' '.join(sys.argv[1:])
sys.stdout.write("exec bash -c '%s' || exit 127\n" % cmd.replace("'",
"'\\''"))
Here's my test result:
$ sh -x /usr/bin/qvm-run-vm @dispvm
"../viewtopic.php?f=21=196913=1023049=1023049"
+ getopt -o htd --long help,no-gui,dispvm -n /usr/bin/qvm-run-vm --
@dispvm ../viewtopic.php?f=21=196913=1023049=1023049
+ OPTS= -- '@dispvm' '../viewtopic.php?f=21=196913=1023049=1023049'
+ eval set -- -- '@dispvm'
'../viewtopic.php?f=21=196913=1023049=1023049'
+ set -- -- @dispvm ../viewtopic.php?f=21=196913=1023049=1023049
+ [ 3 -gt 0 ]
+ shift
+ break
+ [ != 1 ]
+ [ 2 -lt 2 ]
+ [ = 1 ]
+ [ != 1 ]
+ VMNAME=@dispvm
+ shift
+ service=qubes.VMShell
+ [ != 1 ]
+ service=qubes.VMShell+WaitForSession
+ exec /usr/lib/qubes/qrexec-client-vm @dispvm
qubes.VMShell+WaitForSession /usr/lib/qubes/qrun-in-vm
../viewtopic.php?f=21=196913=1023049=1023049
bash: line 1: ../viewtopic.php?f=21: No such file or directory
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/6b230897-f81a-4699-8b1b-081c59ae1688%40gmail.com.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
On 2/22/24 21:54, 'Stuart Perkins' via qubes-users wrote:
On Thu, 22 Feb 2024 21:25:18 +0100
Ulrich Windl wrote:
Hi!
I managed to configure Thunderbird to run any links via a DVM. However
today I realized that URLs with parameters are truncated (Qubes-OS 4.2)
after the first parameter it seem.
For example I have the URL
../viewtopic.php?f=21=196913=1023049=1023049
When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21
Unfortunately I have no idea how to debug or fix that.
Kind regards,
Ulrich
Easy work around. Setup your "default browser" to be "open in vm".
I'm confused: The URL _is_ opened in a VM; the issue is that the URL
being passed in truncated after the first parameter it seems.
https and https content type is redirected to a "run-vm-firefox" that
contains:
#!/bin/bash
qvm-run-vm '$dispvm' /bin/firefox "$1"
I would guess that qvm-run-vm has a quoting problem.
I see that qvm-run-vm passes the parameter correctly to
/usr/lib/qubes/qrun-in-vm.
I don't know python, but these lines seems to have a problem:
cmd = ' '.join(sys.argv[1:])
sys.stdout.write("exec bash -c '%s' || exit 127\n" % cmd.replace("'",
"'\\''"))
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/319d0c4d-8d36-4015-b1cc-d2a28cdc7510%40gmail.com.
Re: [qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
On Thu, 22 Feb 2024 21:25:18 +0100 Ulrich Windl wrote: >Hi! > > >I managed to configure Thunderbird to run any links via a DVM. However >today I realized that URLs with parameters are truncated (Qubes-OS 4.2) >after the first parameter it seem. > >For example I have the URL >../viewtopic.php?f=21=196913=1023049=1023049 > >When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21 > >Unfortunately I have no idea how to debug or fix that. > > >Kind regards, > >Ulrich > Easy work around. Setup your "default browser" to be "open in vm". -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20240222155458.67e22852%40yahoo.com.
[qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL
Hi! I managed to configure Thunderbird to run any links via a DVM. However today I realized that URLs with parameters are truncated (Qubes-OS 4.2) after the first parameter it seem. For example I have the URL .../viewtopic.php?f=21=196913=1023049=1023049 When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21 Unfortunately I have no idea how to debug or fix that. Kind regards, Ulrich -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20be73b9-927d-4c90-a46f-dabeb418ce15%40gmail.com.
