issue with URL handler in Thunderbird: started VM receives truncated URL
33 views
Skip to first unread message
Ulrich Windl
Feb 22, 2024, 3:25:24 PM2/22/24
to qubes...@googlegroups.com
Hi!
I managed to configure Thunderbird to run any links via a DVM. However today I realized that URLs with parameters are truncated (Qubes-OS 4.2) after the first parameter it seem.
For example I have the URL .../viewtopic.php?f=21&t=196913&p=1023049&e=1023049
When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21
Unfortunately I have no idea how to debug or fix that.
Kind regards,
Ulrich
Stuart Perkins
Feb 22, 2024, 3:55:06 PM2/22/24
to qubes...@googlegroups.com
On Thu, 22 Feb 2024 21:25:18 +0100
Ulrich Windl <u202...@gmail.com> wrote:
>Hi!
>
>
>I managed to configure Thunderbird to run any links via a DVM. However
>today I realized that URLs with parameters are truncated (Qubes-OS 4.2)
>after the first parameter it seem.
>
>For example I have the URL
>
>When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21
>
>Unfortunately I have no idea how to debug or fix that.
>
>
>Kind regards,
>
>Ulrich
>
Easy work around. Setup your "default browser" to be "open in vm".
>When I view it in Firefox, the URL bar has only .../viewtopic.php?f=21
>
>Unfortunately I have no idea how to debug or fix that.
>
>
>Kind regards,
>
>Ulrich
>
Ulrich Windl
Feb 22, 2024, 4:15:42 PM2/22/24
to qubes...@googlegroups.com
being passed in truncated after the first parameter it seems.
https and https content type is redirected to a "run-vm-firefox" that
contains:
#!/bin/bash
qvm-run-vm '$dispvm' /bin/firefox "$1"
I would guess that qvm-run-vm has a quoting problem.
I see that qvm-run-vm passes the parameter correctly to
/usr/lib/qubes/qrun-in-vm.
I don't know python, but these lines seems to have a problem:
cmd = ' '.join(sys.argv[1:])
sys.stdout.write("exec bash -c '%s' || exit 127\n" % cmd.replace("'",
"'\\''"))
Ulrich Windl
Feb 22, 2024, 4:19:27 PM2/22/24
to qubes...@googlegroups.com
$ sh -x /usr/bin/qvm-run-vm @dispvm
"../viewtopic.php?f=21&t=196913&p=1023049&e=1023049"
+ getopt -o htd --long help,no-gui,dispvm -n /usr/bin/qvm-run-vm --
@dispvm ../viewtopic.php?f=21&t=196913&p=1023049&e=1023049
+ OPTS= -- '@dispvm' '../viewtopic.php?f=21&t=196913&p=1023049&e=1023049'
+ eval set -- -- '@dispvm'
'../viewtopic.php?f=21&t=196913&p=1023049&e=1023049'
+ set -- -- @dispvm ../viewtopic.php?f=21&t=196913&p=1023049&e=1023049
+ [ 3 -gt 0 ]
+ shift
+ break
+ [ != 1 ]
+ [ 2 -lt 2 ]
+ [ = 1 ]
+ [ != 1 ]
+ VMNAME=@dispvm
+ shift
+ service=qubes.VMShell
+ [ != 1 ]
+ service=qubes.VMShell+WaitForSession
+ exec /usr/lib/qubes/qrexec-client-vm @dispvm
qubes.VMShell+WaitForSession /usr/lib/qubes/qrun-in-vm
../viewtopic.php?f=21&t=196913&p=1023049&e=1023049
bash: line 1: ../viewtopic.php?f=21: No such file or directory
Stuart Perkins
Feb 22, 2024, 5:41:58 PM2/22/24
to qubes...@googlegroups.com
On Thu, 22 Feb 2024 22:19:21 +0100
bash-5.2# pwd
/home/user/.config
bash-5.2# cat mimeapps.list
[Default Applications]
text/html=qvm-open-in-dvm.desktop
x-scheme-handler/http=qvm-open-in-dvm.desktop
x-scheme-handler/https=qvm-open-in-dvm.desktop
x-scheme-handler/about=qvm-open-in-dvm.desktop
x-scheme-handler/unknown=qvm-open-in-dvm.desktop
application/pdf=org.gnome.Evince.desktop
application/sql=org.gnome.TextEditor.desktop
[Added Associations]
text/plain=org.gnome.gedit.desktop;
application/pdf=gimp.desktop;pdfmod.desktop;org.gnome.Evince.desktop;
image/jpeg=gimp.desktop;display-im6.q16.desktop;
image/png=gimp.desktop;
application/sql=org.gnome.TextEditor.desktop;
bash-5.2#
Skyler Ferris
Feb 22, 2024, 10:15:32 PM2/22/24
to qubes...@googlegroups.com
Just realized I sent this as "reply" instead of "reply all". Sorry for
the spam, Ulrich, but I want to make sure this is visible to others who
might have a similar problem.
I think the problem is that the URL doesn't end up getting quoted on the
other end. When this is sent:
[quote="Ulrich_Windl1, post:3, topic:24602"]
The VM will end up getting the URL value with no quotes, because the
quotes in that script are only for the local bash interpreter, not sent
to `qvm-run-vm`. The whole expression is quoted in the exec line, but
bash will interpret the line so the ampersand causes a background
process to start instead of being incorporated in the URL.
I'm not sure if this is a problem in `qvm-run-vm`. Some people might
want to take advantage of the shell interpretation. And since the caller
is able to run any arbitrary shell command anyway, problems like leaking
environment variables aren't particularly relevant (they have permission
to see that if they have permission to run arbitrary commands, and
output is returned to the caller by design).
I would guess that updating the `run-vm-firefox` command to quote the
URL within the double-quotes will fix it. [Also note that the `$` is
deprecated, as described in this
article](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/#security-in-symbols).
The new symbol is `@`; I have only used in in policy files, but I assume
that it will work here too so long as you are running 4.1 or newer. So
the new file would look like this:
```bash
#!/bin/bash
qvm-run-vm '@dispvm' /bin/firefox "'$1'"
```
the spam, Ulrich, but I want to make sure this is visible to others who
might have a similar problem.
I think the problem is that the URL doesn't end up getting quoted on the
other end. When this is sent:
[quote="Ulrich_Windl1, post:3, topic:24602"]
#!/bin/bash
qvm-run-vm '$dispvm' /bin/firefox "$1"
[/quote]
qvm-run-vm '$dispvm' /bin/firefox "$1"
The VM will end up getting the URL value with no quotes, because the
quotes in that script are only for the local bash interpreter, not sent
to `qvm-run-vm`. The whole expression is quoted in the exec line, but
bash will interpret the line so the ampersand causes a background
process to start instead of being incorporated in the URL.
I'm not sure if this is a problem in `qvm-run-vm`. Some people might
want to take advantage of the shell interpretation. And since the caller
is able to run any arbitrary shell command anyway, problems like leaking
environment variables aren't particularly relevant (they have permission
to see that if they have permission to run arbitrary commands, and
output is returned to the caller by design).
I would guess that updating the `run-vm-firefox` command to quote the
URL within the double-quotes will fix it. [Also note that the `$` is
deprecated, as described in this
article](https://www.qubes-os.org/news/2020/06/22/new-qrexec-policy-system/#security-in-symbols).
The new symbol is `@`; I have only used in in policy files, but I assume
that it will work here too so long as you are running 4.1 or newer. So
the new file would look like this:
```bash
#!/bin/bash
qvm-run-vm '@dispvm' /bin/firefox "'$1'"
```
Demi Marie Obenour
Feb 22, 2024, 10:51:29 PM2/22/24
to Skyler Ferris, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I suggest escaping single quotes in the $1 and adding a "--" before it.
This prevents command injection attacks via a malicious URL.
So the result might be
```bash
#!/bin/bash --
exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'"
```
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmXYFjsACgkQsoi1X/+c
IsHcAhAApDWk48QftzKO5NKdrpelrUZLJ0whO4VK98wW4aONFGyE2UpyTcfD+Nyu
wPmrdFcsyb1s1aR4T+9LRKnRe+cdad5ik7p9eDwbMEl1VKqCE5wZOiYqmOhiQ/XY
RRjVNSlHiiuRhbIWGmZDQcZ5H6pOfxud0UwcxGoJ5mjoe8RezEaxQ/Keibx25mKQ
uYK9WxNsk0ih7hIcaLeyCMxMwwZJmiDVP4dIfw121xh/IhrZfJ9gGBwKYLUqBl0u
esz3igOu91Yz8eFODscUC5rwPoXUgdOOEpmi+I7GH7Mz2ORgg+GXgGOfPf6+gi90
DMcDCbBXR9vcLVC4OlOe6vy/KQ7YxXqJe2V7m5snmYVibDmJshBPB7gop9ZeW3gr
8JpY3/WKPgFaxtPANi+wtrZ2LhJjMiPH3B+2MHZwaHTDADExw+t9F4NqXCTwj8gO
qH2z9d6tTJtDDQ+fC47xPwGfhkMHaxiEGysvmFYMfH4rCaWcRrRQpz1u0A4U1YEz
wAFbtkoE6SEL7bCchcN0Ey/T4x38MWJw6u3oIRvhwGpn1VOOMnl9bQSU6EHbImy3
Cb3eg94BZIo9wkNOp7VPxiHxav1dgFJXpGy/U2J687wtmgsnImSpRqh8H+lmxsix
pWl/ulZRt0EE7Y44Oo7BYJIqtPr5s+8yr8NsxM2QmAZ4nAdCH1E=
=CD88
-----END PGP SIGNATURE-----
Hash: SHA512
This prevents command injection attacks via a malicious URL.
So the result might be
```bash
#!/bin/bash --
exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'"
```
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmXYFjsACgkQsoi1X/+c
IsHcAhAApDWk48QftzKO5NKdrpelrUZLJ0whO4VK98wW4aONFGyE2UpyTcfD+Nyu
wPmrdFcsyb1s1aR4T+9LRKnRe+cdad5ik7p9eDwbMEl1VKqCE5wZOiYqmOhiQ/XY
RRjVNSlHiiuRhbIWGmZDQcZ5H6pOfxud0UwcxGoJ5mjoe8RezEaxQ/Keibx25mKQ
uYK9WxNsk0ih7hIcaLeyCMxMwwZJmiDVP4dIfw121xh/IhrZfJ9gGBwKYLUqBl0u
esz3igOu91Yz8eFODscUC5rwPoXUgdOOEpmi+I7GH7Mz2ORgg+GXgGOfPf6+gi90
DMcDCbBXR9vcLVC4OlOe6vy/KQ7YxXqJe2V7m5snmYVibDmJshBPB7gop9ZeW3gr
8JpY3/WKPgFaxtPANi+wtrZ2LhJjMiPH3B+2MHZwaHTDADExw+t9F4NqXCTwj8gO
qH2z9d6tTJtDDQ+fC47xPwGfhkMHaxiEGysvmFYMfH4rCaWcRrRQpz1u0A4U1YEz
wAFbtkoE6SEL7bCchcN0Ey/T4x38MWJw6u3oIRvhwGpn1VOOMnl9bQSU6EHbImy3
Cb3eg94BZIo9wkNOp7VPxiHxav1dgFJXpGy/U2J687wtmgsnImSpRqh8H+lmxsix
pWl/ulZRt0EE7Y44Oo7BYJIqtPr5s+8yr8NsxM2QmAZ4nAdCH1E=
=CD88
-----END PGP SIGNATURE-----
Ulrich Windl
Feb 23, 2024, 8:10:59 AM2/23/24
to qubes...@googlegroups.com
Hi!
I kind of disagree: When passing the URL as "$1", it is passed as one single parameter. The user cannot be expected to know to how much more levels of shell script the parameter will be passed to, so any deeper layers have to keep the single parameter. That is: Every layer of shell script may not remove one level of quotes. Anything else is just an unreliable mess IMHO.
Kind regards,
Ulrich
23.02.2024 03:34:27 'Skyler Ferris' via qubes-users <qubes...@googlegroups.com>:
> qvm-run-vm '$dispvm' /bin/firefox "$1"
I kind of disagree: When passing the URL as "$1", it is passed as one single parameter. The user cannot be expected to know to how much more levels of shell script the parameter will be passed to, so any deeper layers have to keep the single parameter. That is: Every layer of shell script may not remove one level of quotes. Anything else is just an unreliable mess IMHO.
Kind regards,
Ulrich
23.02.2024 03:34:27 'Skyler Ferris' via qubes-users <qubes...@googlegroups.com>:
> qvm-run-vm '$dispvm' /bin/firefox "$1"
Skyler Ferris
Feb 23, 2024, 3:42:33 PM2/23/24
to Ulrich Windl, qubes...@googlegroups.com
[quote="Ulrich_Windl1, post:8, topic:24602"]
I want to make sure we're on the same page about exactly why the quotes
are removed, because it sounds like you're attributing this to
`qvm-run-vm`, when in fact it is the bash invocation in the script itself.
When bash (as in, the instance of bash spawned by the `#!/bin/bash` at
the top of the `run-vm-firefox` script) reads the line `qvm-run-vm
'$dispvm' /bin/firefox "$1"`, it interprets the quotes to mean "this is
one single argument and the quotations are not a part of that argument".
So the script does not send the quotation marks to `qvm-run-vm`. It
could quote all arguments automatically and there are good
justifications for doing so but it would not be a strict improvement.
For example, even with double quotes globbing is disabled and some
callers might want to use this feature.
[quote="Demi, post:7, topic:24602"]
I believe this is a script improvement. The URL is not trusted data and
these safeguards do not have an impact on valid inputs.
I kind of disagree: When passing the URL as "$1", it is passed as one
single parameter. The user cannot be expected to know to how much more
levels of shell script the parameter will be passed to, so any deeper
layers have to keep the single parameter. That is: Every layer of shell
script may not remove one level of quotes. Anything else is just an
unreliable mess IMHO.
[/quote]
single parameter. The user cannot be expected to know to how much more
levels of shell script the parameter will be passed to, so any deeper
layers have to keep the single parameter. That is: Every layer of shell
script may not remove one level of quotes. Anything else is just an
unreliable mess IMHO.
I want to make sure we're on the same page about exactly why the quotes
are removed, because it sounds like you're attributing this to
`qvm-run-vm`, when in fact it is the bash invocation in the script itself.
When bash (as in, the instance of bash spawned by the `#!/bin/bash` at
the top of the `run-vm-firefox` script) reads the line `qvm-run-vm
'$dispvm' /bin/firefox "$1"`, it interprets the quotes to mean "this is
one single argument and the quotations are not a part of that argument".
So the script does not send the quotation marks to `qvm-run-vm`. It
could quote all arguments automatically and there are good
justifications for doing so but it would not be a strict improvement.
For example, even with double quotes globbing is disabled and some
callers might want to use this feature.
[quote="Demi, post:7, topic:24602"]
I suggest escaping single quotes in the $1 and adding a "--" before it.
This prevents command injection attacks via a malicious URL.
So the result might be
```bash
#!/bin/bash --
exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'"
```
[/quote]
This prevents command injection attacks via a malicious URL.
So the result might be
```bash
#!/bin/bash --
exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'"
```
I believe this is a script improvement. The URL is not trusted data and
these safeguards do not have an impact on valid inputs.
Manuel Amador (Rudd-O)
Feb 25, 2024, 9:09:07 PM2/25/24
to qubes...@googlegroups.com
I have this you can use:
After building the package and
installing it in the template, you can shut off the template,
restart the qube where you want to configure link clicks to launch
in another qube, and follow these instructions:
With that, any link you click on a
non-browser app will prompt you to open the link in any qube of
you choice.
--
Rudd-O
https://rudd-o.com/
Reply all
Reply to author
Forward
0 new messages