[qubes-users] issue with URL handler in Thunderbird: started VM receives truncated URL

Ulrich_Windl1 · February 22, 2024, 8:25pm

Hi!

I managed to configure Thunderbird to run any links via a DVM. However today I realized that URLs with parameters are truncated (Qubes-OS 4.2) after the first parameter it seem.

For example I have the URL …/viewtopic.php?f=21&t=196913&p=1023049&e=1023049

When I view it in Firefox, the URL bar has only …/viewtopic.php?f=21

Unfortunately I have no idea how to debug or fix that.

Kind regards,

Ulrich

Stuart_Perkins1 · February 22, 2024, 8:54pm

Easy work around. Setup your "default browser" to be "open in vm".

Ulrich_Windl1 · February 22, 2024, 9:15pm

I'm confused: The URL _is_ opened in a VM; the issue is that the URL being passed in truncated after the first parameter it seems.

https and https content type is redirected to a "run-vm-firefox" that contains:

#!/bin/bash
qvm-run-vm '$dispvm' /bin/firefox "$1"

I would guess that qvm-run-vm has a quoting problem.

I see that qvm-run-vm passes the parameter correctly to /usr/lib/qubes/qrun-in-vm.

I don't know python, but these lines seems to have a problem:

cmd = ' '.join(sys.argv[1:])
sys.stdout.write("exec bash -c '%s' || exit 127\n" % cmd.replace("'", "'\\''"))

Ulrich_Windl1 · February 22, 2024, 9:19pm

Here's my test result:

$ sh -x /usr/bin/qvm-run-vm @dispvm "../viewtopic.php?f=21&t=196913&p=1023049&e=1023049"
+ getopt -o htd --long help,no-gui,dispvm -n /usr/bin/qvm-run-vm -- @dispvm ../viewtopic.php?f=21&t=196913&p=1023049&e=1023049
+ OPTS= -- '@dispvm' '../viewtopic.php?f=21&t=196913&p=1023049&e=1023049'
+ eval set -- -- '@dispvm' '../viewtopic.php?f=21&t=196913&p=1023049&e=1023049'
+ set -- -- @dispvm ../viewtopic.php?f=21&t=196913&p=1023049&e=1023049
+ [ 3 -gt 0 ]
+ shift
+ break
+ [ != 1 ]
+ [ 2 -lt 2 ]
+ [ = 1 ]
+ [ != 1 ]
+ VMNAME=@dispvm
+ shift
+ service=qubes.VMShell
+ [ != 1 ]
+ service=qubes.VMShell+WaitForSession
+ exec /usr/lib/qubes/qrexec-client-vm @dispvm qubes.VMShell+WaitForSession /usr/lib/qubes/qrun-in-vm ../viewtopic.php?f=21&t=196913&p=1023049&e=1023049
bash: line 1: ../viewtopic.php?f=21: No such file or directory

Stuart_Perkins1 · February 22, 2024, 10:41pm

Presuming xfce4...

bash-5.2# pwd
/home/user/.config
bash-5.2# cat mimeapps.list
[Default Applications]
text/html=qvm-open-in-dvm.desktop
x-scheme-handler/http=qvm-open-in-dvm.desktop
x-scheme-handler/https=qvm-open-in-dvm.desktop
x-scheme-handler/about=qvm-open-in-dvm.desktop
x-scheme-handler/unknown=qvm-open-in-dvm.desktop
application/pdf=org.gnome.Evince.desktop
application/sql=org.gnome.TextEditor.desktop

[Added Associations]
text/plain=org.gnome.gedit.desktop;
application/pdf=gimp.desktop;pdfmod.desktop;org.gnome.Evince.desktop;
image/jpeg=gimp.desktop;display-im6.q16.desktop;
image/png=gimp.desktop;
application/sql=org.gnome.TextEditor.desktop;
bash-5.2#

skyvine · February 23, 2024, 2:34am

Just realized I sent this as "reply" instead of "reply all". Sorry for
the spam, Ulrich, but I want to make sure this is visible to others who
might have a similar problem.

I think the problem is that the URL doesn't end up getting quoted on the
other end. When this is sent:

[quote="Ulrich_Windl1, post:3, topic:24602"]
#!/bin/bash
qvm-run-vm '$dispvm' /bin/firefox "$1"
[/quote]

The VM will end up getting the URL value with no quotes, because the
quotes in that script are only for the local bash interpreter, not sent
to `qvm-run-vm`. The whole expression is quoted in the exec line, but
bash will interpret the line so the ampersand causes a background
process to start instead of being incorporated in the URL.

I'm not sure if this is a problem in `qvm-run-vm`. Some people might
want to take advantage of the shell interpretation. And since the caller
is able to run any arbitrary shell command anyway, problems like leaking
environment variables aren't particularly relevant (they have permission
to see that if they have permission to run arbitrary commands, and
output is returned to the caller by design).

I would guess that updating the `run-vm-firefox` command to quote the
URL within the double-quotes will fix it. [Also note that the `$` is
deprecated, as described in this
article](Qubes Architecture Next Steps: The New Qrexec Policy System | Qubes OS).
The new symbol is `@`; I have only used in in policy files, but I assume
that it will work here too so long as you are running 4.1 or newer. So
the new file would look like this:

#!/bin/bash
qvm-run-vm '@dispvm' /bin/firefox "'$1'"

Demi · February 23, 2024, 3:51am

I suggest escaping single quotes in the $1 and adding a "--" before it.
This prevents command injection attacks via a malicious URL.

So the result might be

#!/bin/bash --
exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'"

- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Ulrich_Windl1 · February 23, 2024, 1:10pm

Hi!

I kind of disagree: When passing the URL as "$1", it is passed as one single parameter. The user cannot be expected to know to how much more levels of shell script the parameter will be passed to, so any deeper layers have to keep the single parameter. That is: Every layer of shell script may not remove one level of quotes. Anything else is just an unreliable mess IMHO.

Kind regards,
Ulrich

skyvine · February 23, 2024, 7:57pm

[quote="Ulrich_Windl1, post:8, topic:24602"]
I kind of disagree: When passing the URL as "$1", it is passed as one
single parameter. The user cannot be expected to know to how much more
levels of shell script the parameter will be passed to, so any deeper
layers have to keep the single parameter. That is: Every layer of shell
script may not remove one level of quotes. Anything else is just an
unreliable mess IMHO.
[/quote]

I want to make sure we're on the same page about exactly why the quotes
are removed, because it sounds like you're attributing this to
`qvm-run-vm`, when in fact it is the bash invocation in the script itself.

When bash (as in, the instance of bash spawned by the `#!/bin/bash` at
the top of the `run-vm-firefox` script) reads the line `qvm-run-vm
'$dispvm' /bin/firefox "$1"`, it interprets the quotes to mean "this is
one single argument and the quotations are not a part of that argument".
So the script does not send the quotation marks to `qvm-run-vm`. It
could quote all arguments automatically and there are good
justifications for doing so but it would not be a strict improvement.
For example, even with double quotes globbing is disabled and some
callers might want to use this feature.

[quote="Demi, post:7, topic:24602"]
I suggest escaping single quotes in the $1 and adding a "--" before it.
This prevents command injection attacks via a malicious URL.

So the result might be

#!/bin/bash --
exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'"

[/quote]

I believe this is a script improvement. The URL is not trusted data and
these safeguards do not have an impact on valid inputs.