[gopher] Thunderbird; add "gopher://" to list of the list of recognized protocols when displaying emails / usenet messages
Nuno J. Silva
nunojsilva at ist.utl.pt
Sun Sep 25 14:09:14 UTC 2011
On 2011-09-25, Walter Vermeir wrote:
> Op 25-09-11 15:24, Jacob Dahl Pind schreef:
>> is fun they quote security as the reason why gopher:// is removed but
>> http/ftp is still there, one would think if it really was out of
>> security concerns http, ftp, anything but pure ascii text would have
>> been ban, and oh, it should probabilly ignore any user input as those
>> users are a real security issue. :)
>
> Yes, I was also wondering about what the "security risk" could be.
>
> As a non-programmer I would think there are 2 possible outcomes if you
> click on a Gopher link;
>
> - the OS complains that it does not know what to do with it (most
> likely event)
> - the Gopher site opens in the default gopher client.
The problem is what happens when Thunderbird invokes a client for *any*
protocol when following a link -- the address is passed as an argument,
and precautions must be taken to make sure this argument is understood
as it is meant to be understood, that is, an address to be run by the
registered client.
The possible problem is *injection*, when the program does not sanitize
the input, people can create specially crafted addresses that will
execute another command.
Bug 388192 has a link to a page that explains this kind of attacks (link
is dead, but the page is in the wayback machine):
http://web.archive.org/web/20110520004347/http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/
This will always be an issue with shell integration, and needs to be
fixed. But when it is fixed, the fix should work for all protocols. So
even if this is an issue, it is no real reason to remove gopher
support. If HTTP shell integration has no issue, then why would gopher
integration have, anyway?
> What I do appreciate is that person who closed it tiik the time to
> look-up and refer to older bugs about Gopher, about the removal of
> gopher from Firefox, what is interesting reading.
The problem is that most of these bugs are about gopher support, not
gopher shell integration, which are separated issues (in fact, if you
have gopher support, you don't need the shell integration that much...).
So that person ended up giving misleading pointers, more to support
their "security" excuse than to point the reporter to the bug that
matters, https://bugzilla.mozilla.org/show_bug.cgi?id=388192
(In other words: the issue here is that the attack vector they are
trying to remove is in shell integration, it should be the same for HTTP
and gopher -- removing gopher wouldn't remove an attack vector... unless
I'm missing something about shell integration or thunderbird...)
--
Nuno J. Silva (aka njsg)
gopher://sdf-eu.org/1/users/njsg
More information about the Gopher-Project
mailing list