Ubuntu
firefox package

mozilla-firefox: firefox loads external page instead of local html file

Bug #7740 reported by Debian Bug Importer
6
Affects Status Importance Assigned to Milestone
firefox (Debian)
Fix Released
Unknown
firefox (Ubuntu)
Invalid
Low
Unassigned

Bug Description

Automatically imported from Debian bug report #269690 http://bugs.debian.org/269690

See original description
Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #269690 http://bugs.debian.org/269690

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (4.4 KiB)

Message-ID: <email address hidden>
Date: Fri, 3 Sep 2004 00:43:21 +0200
From: Filip Van Raemdonck <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mozilla-firefox: firefox loads external page instead of local html file

Package: mozilla-firefox
Version: 0.9.3-2.2
Severity: grave
Justification: possible data exposure, unrequested online activity

I was cleaning up a system which had the Return to Castle Wolfenstein game
test release installed (the beta demo, before the actual game release)
Inside the wolftest installation directory there is a readme.html. From a
terminal window I ran "firefox wolftest2/readme.html" [1]. To my big
surprise firefox, once started, displayed an online web page; more
specifically http://www.sslug.dk/emailarkiv/spil/2001_11/msg00008.html

While that page seems fairly innocent, and is in fact related to at least
RTWC (and possibly the test version from the installation), firefox never
should've brought me there from that local html page. There is nothing in
the local page which should cause a redirect. In fact, when I just start
firefox without giving it a start page and then load the file locally it
displays it fine.

I quickly discovered that the above mailing list message, which firefox
displayed instead of the readme, is the #1 hit I get on google when
searching for "wolftest2".
So, obviously, firefox has problems with loading local files from the
command line when they are not in the current working directory, which,
combined with Debian bug #266962, causes the above issue. Both of these
together make up for a serious privacy flaw IMNSHO.[2]
FWIW, neither w3m (displays fine) nor mozilla (not found error) exhibit the
problematic behaviour.

Regards,

Filip

[1] That wolftest2 directory is where the demo is installed; I was in the
    directory above it.
[2] Actually I consider #266962 by itself to be a serious problem; for some
    reason I have not ran into it yet (is this a recent (mis-)feature? Or am
    I just a decent typist which does not input incorrect URIs?) but I
    definitely do not want google to collect any data on my target surfing
    locations, even if they need to correct them for typos.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=C, LC_CTYPE=nl_BE@euro

Versions of packages mozilla-firefox depends on:
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii fontconfig 2.2.3-1 generic font configuration library
ii libatk1.0-0 1.6.1-3 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-16 GNU C Library: Shared libraries an
ii libfontconfig1 2.2.3-1 generic font configuration library
ii libfreetype6 2.1.7-2.2 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.1-7 GCC support library
ii libglib2.0-0 2.4.6-2 The GLib library of C routines
ii libgtk2.0-0 2.4.9-1 The GTK+ graphical user interface
ii libidl0 ...

Read more...

Revision history for this message
Matt Zimmerman (mdz) wrote :

Not RC

Revision history for this message
In , Scott Dier (dieman) wrote : Works as documented

severity 269690 wishlist
thanks

"Usage: /usr/lib/mozilla-firefox/firefox-bin [ options ... ] [URL]"

I find this hard to be a bug, you didn't provide a proper URL. 'text'
URL's in firefox are given off to google.

This bug does none of the following:
     makes the package in question unusable or mostly so, or causes data
loss, or introduces a security hole allowing access to the accounts of
users who use the package.

Therefore, since it is closely related to the other bug -- it's merely
another place to input a URL, I'm changing it down to wishlist. It
should most likely be merged with the other bug, as this has to do with
URL handling, not a privacy issue.

--
Scott Dier <email address hidden> KC0OBS http://www.ringworld.org/

"Right now we've been presented with an option that says cars now,
transit later -- maybe. That's not good enough."
   -- Minneapolis Mayor R.T. Rybak.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 02 Sep 2004 23:44:48 -0500
From: Scott Dier <email address hidden>
To: <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Works as documented

severity 269690 wishlist
thanks

"Usage: /usr/lib/mozilla-firefox/firefox-bin [ options ... ] [URL]"

I find this hard to be a bug, you didn't provide a proper URL. 'text'
URL's in firefox are given off to google.

This bug does none of the following:
     makes the package in question unusable or mostly so, or causes data
loss, or introduces a security hole allowing access to the accounts of
users who use the package.

Therefore, since it is closely related to the other bug -- it's merely
another place to input a URL, I'm changing it down to wishlist. It
should most likely be merged with the other bug, as this has to do with
URL handling, not a privacy issue.

--
Scott Dier <email address hidden> KC0OBS http://www.ringworld.org/

"Right now we've been presented with an option that says cars now,
transit later -- maybe. That's not good enough."
   -- Minneapolis Mayor R.T. Rybak.

Revision history for this message
In , Helge Kreutzmann (kreutzm) wrote : Google does have privacy issues

Hello,
I think it is *not* a good idea to fire off to any search machine if
the user in question makes an error. There is an easy technical reason
and a hard privacy reason.

A) Technical:
   If I have dial-on-demand and I use firefox inappropriatley, a
   unwanted dial-out happens while I would expect an error message.
   The report did *not* want to search for the term, and I don't think
   he wanted to search for it in case the file did not exit either.

B) Privacy:
   Google does store information about its use, and since google did
   go public this is a valuable knowledge now being traded. If I need
   this feature, I want to turn it *on*. Remember when you first used
   the web browser and filled in a form? It informed you that you
   where sending possible sensitive data. I kept that window, but I
   can also turn it off.

Hence it would be very sensible IMHO, if (Debian-)Firefox would pop up
an error message if the url/argument was not valid. Then document in
README.Debian, how to turn on the automatic search on google, if the
user wants it. If in doubt, choose privacy/security and document how
to get convenience, not vice versa.

I strongly disagree with the current severity level (wishlist) but
since I am neither the submitter nor the maintainer and currently do not use
firefox, I'll leave it at that. But I once reported a similar bug in
konqueror and it got quickly fixed.

Greetings

          Helge
--
Helge Kreutzmann, Dipl.-Phys. <email address hidden>
  gpg signed mail preferred gpg-key: finger <email address hidden>
    64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 3 Sep 2004 15:16:48 +0200
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Cc: Filip Van Raemdonck <email address hidden>
Subject: Google does have privacy issues

--tKW2IUtsqtDRztdT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello,
I think it is *not* a good idea to fire off to any search machine if
the user in question makes an error. There is an easy technical reason
and a hard privacy reason.

A) Technical:
   If I have dial-on-demand and I use firefox inappropriatley, a
   unwanted dial-out happens while I would expect an error message.
   The report did *not* want to search for the term, and I don't think
   he wanted to search for it in case the file did not exit either.

B) Privacy:
   Google does store information about its use, and since google did
   go public this is a valuable knowledge now being traded. If I need
   this feature, I want to turn it *on*. Remember when you first used
   the web browser and filled in a form? It informed you that you
   where sending possible sensitive data. I kept that window, but I
   can also turn it off.=20

Hence it would be very sensible IMHO, if (Debian-)Firefox would pop up
an error message if the url/argument was not valid. Then document in
README.Debian, how to turn on the automatic search on google, if the
user wants it. If in doubt, choose privacy/security and document how
to get convenience, not vice versa.

I strongly disagree with the current severity level (wishlist) but
since I am neither the submitter nor the maintainer and currently do not use
firefox, I'll leave it at that. But I once reported a similar bug in
konqueror and it got quickly fixed.

Greetings

          Helge
--=20
Helge Kreutzmann, Dipl.-Phys. <email address hidden>=
er.de
  gpg signed mail preferred gpg-key: finger <email address hidden>=
er.de
    64bit GNU powered http://www.itp.uni-hannover.de/~kreu=
tzm
       Help keep free software "libre": http://www.freepatents.org/

--tKW2IUtsqtDRztdT
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBOG7ARsxcY/MYpWoRAoAhAJ9ZmYxEDKtsUlsHNhaLgf1cYCN4+QCcD9AV
a768WBFg1UHvrEjacjTtJSk=
=N7qM
-----END PGP SIGNATURE-----

--tKW2IUtsqtDRztdT--

Revision history for this message
Thom May (thombot) wrote :

Some good points in the discussion but this is not really a bug we care about
for warty.

Revision history for this message
In , rgselk (rgselknospam) wrote : Actually it is a bug in the firefox wrapper script...

The problem is in the script /usr/bin/firefox.
After checking if the path is absolute
$RETURN_VAL is used instead of $?.
The attached patch fixes it.

mozilla-firefox 0.9.3-5

_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 12 Oct 2004 02:46:50 -0700 (PDT)
From: rgselk <email address hidden>
To: <email address hidden>
Subject: Actually it is a bug in the firefox wrapper script...

--0-948937446-1097574410=:24121
Content-Type: text/plain; charset=us-ascii
Content-Id:
Content-Disposition: inline

The problem is in the script /usr/bin/firefox.
After checking if the path is absolute
$RETURN_VAL is used instead of $?.
The attached patch fixes it.

mozilla-firefox 0.9.3-5

_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
--0-948937446-1097574410=:24121
Content-Type: text/plain; name="firefox.diff.txt"
Content-Description: firefox.diff.txt
Content-Disposition: inline; filename="firefox.diff.txt"

--- firefox Fri Sep 17 03:14:08 2004
+++ firefox Tue Oct 12 11:32:30 2004
@@ -315,7 +315,7 @@
     # if it doesn't begin with a '/' and it exists when the pwd is
     # prepended to it then append the full path
     echo $opt | grep -e '^/' 2>/dev/null > /dev/null
- if [ "${RETURN_VAL}" -ne "0" ] && [ -e "`pwd`/$opt" ]; then
+ if [ "$?" -ne "0" ] && [ -e "`pwd`/$opt" ]; then
       opt="`pwd`/$opt"
     fi
     exec $MOZ_CLIENT_PROGRAM "openurl($opt,new-$open_in)" 2>/dev/null \

--0-948937446-1097574410=:24121--

Revision history for this message
In , Eric Dorland (eric-debian) wrote : Fixed in upload of mozilla-firefox 0.10.1+1.0PR-2 to experimental

tag 262062 + fixed-in-experimental
tag 269690 + fixed-in-experimental
tag 273353 + fixed-in-experimental
tag 274258 + fixed-in-experimental
tag 275563 + fixed-in-experimental

quit

This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 17 Oct 2004 21:25:08 -0400
Source: mozilla-firefox
Binary: mozilla-firefox-gnome-vfs mozilla-firefox mozilla-firefox-dom-inspector
Architecture: source i386
Version: 0.10.1+1.0PR-2
Distribution: experimental
Urgency: low
Maintainer: Eric Dorland <email address hidden>
Changed-By: Eric Dorland <email address hidden>
Description:
 mozilla-firefox - lightweight web browser based on Mozilla
 mozilla-firefox-dom-inspector - tool for inspecting the DOM of pages in Mozilla Firefox
 mozilla-firefox-gnome-vfs - Support for Gnome-VFS in Mozilla Firefox
Closes: 262062 269690 273353 274258 275563
Changes:
 mozilla-firefox (0.10.1+1.0PR-2) experimental; urgency=low
 .
   * debian/mozilla-firefox-runner:
     - Patch from Sam Morris to handle cleanup of directories with
       unusual names.
     - Fix return value check, patch from rgselk. (Closes: #269690)
   * debian/mozilla-firefox.1: List full path to firefox-bin. (Closes:
     #275563)
   * debian/rules:
     - --with-gssapi=/usr, enable Negotiate extension. (Closes:
       #274258)
     - Enable gnomevfs support,
   * debian/control:
     - Build-depend on libkrb5-dev.
     - Build-depend on libgnomevfs2-dev.
     - New gnomevfs package, based on work by Mike Hommey. (Closes:
       #262062)
   * debian/mozilla-firefox-gnome-vfs.post{inst,rm}: Added, same as
     corresponding files from mozilla-firefox-dom-inspector.
   * debian/mozilla-firefox-gnome-vfs.install: Install gnomevfs components.
   * browser/app/profile/firefox.js: Set
     network.negotiate-auth.trusted-uris to https:// to enable the
     negotiate extension over secure links.
   * config/rules.mk: Tweak patch from Thiemo Seufer to include svg_doc in
     non-optimization. (Closes: #273353)
Files:
 f991e9e91c40b61e508231388b922598 1021 web optional mozilla-firefox_0.10.1+1.0PR-2.dsc
 67ff9c1d44aa940740deb274d39a564e 65385 web optional mozilla-firefox_0.10.1+1.0PR-2.diff.gz
 11d0e54da212eff065456ae460015c1b 9974568 web optional mozilla-firefox_0.10.1+1.0PR-2_i386.deb
 75ee38d23d0eb6a69acaa24981e7703e 141608 web optional mozilla-firefox-dom-inspector_0.10.1+1.0PR-2_i386.deb
 e83d655c40aa9a5481c17a3f55d7b9ca 36914 web optional mozilla-firefox-gnome-vfs_0.10.1+1.0PR-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBczWoYemOzxbZcMYRAtcIAJkBPDNo4cFDiO7LZeKzwwnd6MmMUwCfa7J7
qcgR94RKCXEAW3s5LZ7yGF0=
=9qLU
-----END PGP SIGNATURE-----

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sun, 24 Oct 2004 00:53:07 -0400
From: Eric Dorland <email address hidden>
To: <email address hidden>
Cc: Eric Dorland <email address hidden>
Subject: Fixed in upload of mozilla-firefox 0.10.1+1.0PR-2 to experimental

tag 262062 + fixed-in-experimental
tag 269690 + fixed-in-experimental
tag 273353 + fixed-in-experimental
tag 274258 + fixed-in-experimental
tag 275563 + fixed-in-experimental

quit

This message was generated automatically in response to an
upload to the experimental distribution. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 17 Oct 2004 21:25:08 -0400
Source: mozilla-firefox
Binary: mozilla-firefox-gnome-vfs mozilla-firefox mozilla-firefox-dom-inspector
Architecture: source i386
Version: 0.10.1+1.0PR-2
Distribution: experimental
Urgency: low
Maintainer: Eric Dorland <email address hidden>
Changed-By: Eric Dorland <email address hidden>
Description:
 mozilla-firefox - lightweight web browser based on Mozilla
 mozilla-firefox-dom-inspector - tool for inspecting the DOM of pages in Mozilla Firefox
 mozilla-firefox-gnome-vfs - Support for Gnome-VFS in Mozilla Firefox
Closes: 262062 269690 273353 274258 275563
Changes:
 mozilla-firefox (0.10.1+1.0PR-2) experimental; urgency=low
 .
   * debian/mozilla-firefox-runner:
     - Patch from Sam Morris to handle cleanup of directories with
       unusual names.
     - Fix return value check, patch from rgselk. (Closes: #269690)
   * debian/mozilla-firefox.1: List full path to firefox-bin. (Closes:
     #275563)
   * debian/rules:
     - --with-gssapi=/usr, enable Negotiate extension. (Closes:
       #274258)
     - Enable gnomevfs support,
   * debian/control:
     - Build-depend on libkrb5-dev.
     - Build-depend on libgnomevfs2-dev.
     - New gnomevfs package, based on work by Mike Hommey. (Closes:
       #262062)
   * debian/mozilla-firefox-gnome-vfs.post{inst,rm}: Added, same as
     corresponding files from mozilla-firefox-dom-inspector.
   * debian/mozilla-firefox-gnome-vfs.install: Install gnomevfs components.
   * browser/app/profile/firefox.js: Set
     network.negotiate-auth.trusted-uris to https:// to enable the
     negotiate extension over secure links.
   * config/rules.mk: Tweak patch from Thiemo Seufer to include svg_doc in
     non-optimization. (Closes: #273353)
Files:
 f991e9e91c40b61e508231388b922598 1021 web optional mozilla-firefox_0.10.1+1.0PR-2.dsc
 67ff9c1d44aa940740deb274d39a564e 65385 web optional mozilla-firefox_0.10.1+1.0PR-2.diff.gz
 11d0e54da212eff065456ae460015c1b 9974568 web optional mozilla-firefox_0.10.1+1.0PR-2_i386.deb
 75ee38d23d0eb6a69acaa24981e7703e 141608 web optional mozilla-firefox-dom-inspector_0.10.1+1.0PR-2_i386.deb
 e83d655c40aa9a5481c17a3f55d7b9ca 36914 web optional mozilla-firefox-gnome-vfs_0.10.1+1.0PR-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBczWoYemOzxbZcMYRAtcIAJkBPDNo4cFDiO7LZeKzwwnd6MmMUwCfa7J7
qcgR94RKCXEAW3s5LZ7yGF0=
=9qLU
-----END PGP SIGNATURE-----

Revision history for this message
In , Mike Hommey (mh-glandium) wrote : New upload to unstable make bugs fixed-in-experimental also fixed in unstable

tag 274311 - fixed-in-experimental
tag 274629 - fixed-in-experimental sid
tag 275786 - fixed-in-experimental sid
tag 277113 - fixed-in-experimental
tag 273700 - fixed-in-experimental
tag 265482 - fixed-in-experimental
tag 275563 - fixed-in-experimental
tag 262062 - fixed-in-experimental
tag 265907 - fixed-in-experimental
tag 269690 - fixed-in-experimental
tag 274258 - fixed-in-experimental
tag 274493 - fixed-in-experimental
tag 275844 - fixed-in-experimental
tag 274311 + sarge
tag 274629 + sarge
tag 275786 + sarge
tag 277113 + sarge
tag 273700 + sarge
tag 265482 + sarge
tag 275563 + sarge
tag 262062 + sarge
tag 265907 + sarge
tag 269690 + sarge
tag 274258 + sarge
tag 274493 + sarge
tag 275844 + sarge
thanks

New upload to unstable make bugs fixed-in-experimental also fixed in
unstable, thus untagging them sid if necessary, and tagging them sarge
only.

Mike

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 23:38:14 +0900
From: Mike Hommey <email address hidden>
To: <email address hidden>
Subject: New upload to unstable make bugs fixed-in-experimental also fixed in unstable

tag 274311 - fixed-in-experimental
tag 274629 - fixed-in-experimental sid
tag 275786 - fixed-in-experimental sid
tag 277113 - fixed-in-experimental
tag 273700 - fixed-in-experimental
tag 265482 - fixed-in-experimental
tag 275563 - fixed-in-experimental
tag 262062 - fixed-in-experimental
tag 265907 - fixed-in-experimental
tag 269690 - fixed-in-experimental
tag 274258 - fixed-in-experimental
tag 274493 - fixed-in-experimental
tag 275844 - fixed-in-experimental
tag 274311 + sarge
tag 274629 + sarge
tag 275786 + sarge
tag 277113 + sarge
tag 273700 + sarge
tag 265482 + sarge
tag 275563 + sarge
tag 262062 + sarge
tag 265907 + sarge
tag 269690 + sarge
tag 274258 + sarge
tag 274493 + sarge
tag 275844 + sarge
thanks

New upload to unstable make bugs fixed-in-experimental also fixed in
unstable, thus untagging them sid if necessary, and tagging them sarge
only.

Mike

Revision history for this message
In , Mike Hommey (mh-glandium) wrote : 1.0-2 migrated to sarge

mozilla-firefox version 1.0-2 migrated to sarge, implying that these
bugs which were still in 0.9.3-5 but has been solved in the meanwhile,
are finally solved in sarge.

Mike

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 18 Nov 2004 11:44:13 +0900
From: Mike Hommey <email address hidden>
To: <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>, <email address hidden>
Subject: 1.0-2 migrated to sarge

mozilla-firefox version 1.0-2 migrated to sarge, implying that these
bugs which were still in 0.9.3-5 but has been solved in the meanwhile,
are finally solved in sarge.

Mike

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.