I managed to configure Thunderbird to run any links via a DVM. However today I realized that URLs with parameters are truncated (Qubes-OS 4.2) after the first parameter it seem.
Just realized I sent this as "reply" instead of "reply all". Sorry for
the spam, Ulrich, but I want to make sure this is visible to others who
might have a similar problem.
I think the problem is that the URL doesn't end up getting quoted on the
other end. When this is sent:
The VM will end up getting the URL value with no quotes, because the
quotes in that script are only for the local bash interpreter, not sent
to `qvm-run-vm`. The whole expression is quoted in the exec line, but
bash will interpret the line so the ampersand causes a background
process to start instead of being incorporated in the URL.
I'm not sure if this is a problem in `qvm-run-vm`. Some people might
want to take advantage of the shell interpretation. And since the caller
is able to run any arbitrary shell command anyway, problems like leaking
environment variables aren't particularly relevant (they have permission
to see that if they have permission to run arbitrary commands, and
output is returned to the caller by design).
I would guess that updating the `run-vm-firefox` command to quote the
URL within the double-quotes will fix it. [Also note that the `$` is
deprecated, as described in this
article](Qubes Architecture Next Steps: The New Qrexec Policy System | Qubes OS).
The new symbol is `@`; I have only used in in policy files, but I assume
that it will work here too so long as you are running 4.1 or newer. So
the new file would look like this:
I kind of disagree: When passing the URL as "$1", it is passed as one single parameter. The user cannot be expected to know to how much more levels of shell script the parameter will be passed to, so any deeper layers have to keep the single parameter. That is: Every layer of shell script may not remove one level of quotes. Anything else is just an unreliable mess IMHO.
[quote="Ulrich_Windl1, post:8, topic:24602"]
I kind of disagree: When passing the URL as "$1", it is passed as one
single parameter. The user cannot be expected to know to how much more
levels of shell script the parameter will be passed to, so any deeper
layers have to keep the single parameter. That is: Every layer of shell
script may not remove one level of quotes. Anything else is just an
unreliable mess IMHO.
[/quote]
I want to make sure we're on the same page about exactly why the quotes
are removed, because it sounds like you're attributing this to
`qvm-run-vm`, when in fact it is the bash invocation in the script itself.
When bash (as in, the instance of bash spawned by the `#!/bin/bash` at
the top of the `run-vm-firefox` script) reads the line `qvm-run-vm
'$dispvm' /bin/firefox "$1"`, it interprets the quotes to mean "this is
one single argument and the quotations are not a part of that argument".
So the script does not send the quotation marks to `qvm-run-vm`. It
could quote all arguments automatically and there are good
justifications for doing so but it would not be a strict improvement.
For example, even with double quotes globbing is disabled and some
callers might want to use this feature.
[quote="Demi, post:7, topic:24602"]
I suggest escaping single quotes in the $1 and adding a "--" before it.
This prevents command injection attacks via a malicious URL.