Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Search Firefox bookmarks with Spotlight' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Search Firefox bookmarks with Spotlight
Authored by: badger brigade on Aug 30, '05 06:11:24PM

When running this script I get a couple of errors like

sh: line 1: sarge: command not found
sh: line 1: amp: command not found
which makes me a bit worried that the escaping isn't happening properly and sh is running some of the bookmark text as commands when they're preced by backticks (as in the case of 'sarge' above).

Also, is there a way to get Firefox to open .webbookmark files? At the moment, the Spotlight results always open in Safari.

[ Reply to This | # ]

Very dangerous script
Authored by: stewby on Aug 30, '05 09:16:03PM

Yes, the script has no escaping at all. Anything with $ in it will have problems too. The backtick case is by far the most dangerous though, since you could theoretically have a bookmark with text that this script would turn into a destructive command.



[ Reply to This | # ]
Dangerous? Don't think so.
Authored by: jms1 on Aug 31, '05 01:01:40PM

Let's see... the dangerous items, the items which could potentially be controlled by the operator of a malicious web site, are the URL, the page title, and the icon. None of these items are ever exposed to a command line, either directly or by output within a backtick construct- the only things in backticks are the "find" command which locates Firefox's bookmarks.html file, and the word "uuidgen" which is a command to generate UUID numbers which are used as unique filenames.

So the only possible issues would be:

- If an attacker were somehow able to cause files to be created in the user's home directory so that the "find" command returns the wrong file. This threat can be avoided by using a more specific "find" location, as has already been mentioned in one of the replies here.

- If an attacker were able to manipulate the user's system so that the "uuidgen" command ran something other than Apple's /usr/bin/uuidgen.

And if either of these scenarios is possible, you already have bigger problems than this script could expose you to.

Sorry, I don't see anything overly dangerous here.



[ Reply to This | # ]
Dangerous?
Authored by: badger brigade on Aug 31, '05 07:04:28PM
I'm not about to check it, but I think that if a bookmarked site has a title that contains
`rm -rf ~
then you might be in trouble. It's probably not that likely, but it definitely tried to run at least two commands when parsing my bookmarks.

[ Reply to This | # ]
Yes, dangerous.
Authored by: stewby on Aug 31, '05 11:20:18PM

None of these items are ever exposed to a command line, either directly or by output within a backtick construct

You are assuming that none of the bookmarks themselves contain backticks. By the time the

CAT<<...
portion is piped into sh, there are no more shell escapes, so everything in each of those items would be subject to full shell interpretation. Backticks, $, etc.

While the common case would simply be a partially mangled export, this allows arbitrary code execution (obviously vastly more likely to be accidental than malicious, but still a very dangerous thing to run). Deletion of files, upload of files to remote server, you name it. If you don't believe it, try it with a bookmark named `touch ~/uh-oh`



[ Reply to This | # ]
And a fix
Authored by: stewby on Aug 31, '05 11:38:53PM

And as a follow-up, you can make it more correct (no mangled names) and much safer by changing

<<END_BOOKMARK
to
<<'"'"'END_BOOKMARK'"'"'
(Yes, that's single-quote double-quote singe-quote double-quote single-quote on each side)



[ Reply to This | # ]