Party like its 1995



  •  From one of the Firefox developers:    (benjamin.smedbergs.us/blog/2009-12-15/multi-process-plugins/)

     "There is one major known bug right now: any plugin which is installed in a path with spaces fails to load. On Windows, this affects almost everything except Flash."

    Hasn't Windows been able to handle spaces in file names since like .... 1995?  I confess to being somewhat less than expert at programming, but after 15 years, not being able to handle spaces in file/directory names seems like a pretty big WTF.

     



  • Actually, even DOS supported spaces in file names.

    [url]http://blogs.msdn.com/oldnewthing/archive/2009/07/09/9825126.aspx[/url]



  • He doens't imply it's Microsoft's bug. All he's saying is that Firefox can't handle it.

    Like you said, long filename support in Windows has been around for... well, for the NT OSes that are current, since day one in 1994 or so. Whatever the cause of this bug, it's certainly Firefox's code and not Microsoft's.



  • Actually, re-reading it... I think he's saying the bug is present on all platforms, but it's critical on Windows as the vast majority of Windows installations install Firefox inside of a folder named "Program Files" (with a space in it.)

    In OS X, Firefox would be inside /Applications (no space).

    Even wierder, Firefox's installer puts it inside a folder named "Mozilla Firefox 3". That's two spaces. WTF?! How has this bug been able to survive this long!?



  • @blakeyrat said:

    He doens't imply it's Microsoft's bug. All he's saying is that Firefox can't handle it.

    Which was really my point.  If Windows has been able to handle spaces for at least 15 years, I would think Mozilla's programmers ought to do the same.

     



  • @blakeyrat said:

    Even wierder, Firefox's installer puts it inside a folder named "Mozilla Firefox 3". That's two spaces. WTF?! How has this bug been able to survive this long!?

    The "bug" is in a newly added feature, something called "out-of-process plugins" which is the ability to run tabs, plugins and extensions in separate processes.  Clearly Firefox can handle file/directory names with spaces, I think they just forgot to copy/paste some code from one part of Firefox to this new section.


  • Sorry I guess I misread your post, it sounded like you were blaming Microsoft.



  • @El_Heffe said:

    @blakeyrat said:

    Even wierder, Firefox's installer puts it inside a folder named "Mozilla Firefox 3". That's two spaces. WTF?! How has this bug been able to survive this long!?

    The "bug" is in a newly added feature, something called "out-of-process plugins" which is the ability to run tabs, plugins and extensions in separate processes.  Clearly Firefox can handle file/directory names with spaces, I think they just forgot to copy/paste some code from one part of Firefox to this new section.

    I've seen a number of these issues crop up.  In about half of the cases I've seen, there's actually a code injection vulnerability hidden within this bug, too.

    It generally occurs because the programmer attempted to take a short cut, and utilize a library call that will separate out a command from its arguments; this saves them from needing to make an array of the arguments to pass to execve(2).  Unfortunately, said library call needs to be told to skip spaces that are supposed to be within the filenames.  And, for the code injection issues - about half the time I've seen this trick done, the library call in question will honor metacharacters in the filename.  So if you name your plugin, "plugin; rm -rf .", it may have extra fun on unix boxes...  And, about half the time they fix these things, the command injection simply changes, such that you need to rename your malicious plugin to something like "plugin'; rm -rf .;'"



  • @blakeyrat said:

    Sorry I guess I misread your post, it sounded like you were blaming Microsoft.

    No, I wasn't blaming Microsft, it was more like  "I know that Firefox can handle spaces in directory names because it has to access stuff in directories with spaces (for example: C:\Program Files\Mozilla Firefox\plugins)  and it works just fine.  So WTF?  Isn't there some function you call in the Windows API (my Windows C++ programming knowledge isn't very good) where you just pass it a filename and Windows does the work and knows how to handle spaces so that don't have to re-invent the wheel?"


  • @El_Heffe said:

    Isn't there some function you call in the Windows API (my Windows C++ programming knowledge isn't very good) where you just pass it a filename and Windows does the work and knows how to handle spaces so that don't have to re-invent the wheel?"

    Unfortunately for the case they need, parsing a command, there does not seem to be. Working with cmd.exe-compatible command-lines on Windows is a royal pain in the arse, because the quoting rules are insane and there is indeed total lack of functions implementing them.



  • @El_Heffe said:

    Isn't there some function you call in the Windows API (my Windows C++ programming knowledge isn't very good) where you just pass it a filename and Windows does the work and knows how to handle spaces so that don't have to re-invent the wheel?

    Actually, there's one in the C API that predates all this stuff and is thus everywhere.  The problem is, you *just* pass it the file name (at least, in that particular parameter), not anything else.  And the moron developers that keep producing these problems don't want to *just* pass the filename, they want to pass at least one other thing and have the libraries/OS sort it out.  There is *no* way to do that without having some kind of issue along these lines.  I could do a proof, but I don't have time ATM.

    (Also, just because I can prove it to be incorrect doesn't mean it is...)



  • @El_Heffe said:

    Clearly Firefox can handle file/directory names with spaces, I think they just forgot to copy/paste some code from one part of Firefox to this new section.
    The code they're looking for is two double quotes.  They looked all over the keyboard and couldn't find them.  "What, you mean this key with the three single quotes on it?"



  • @belgariontheking said:

    The code they're looking for is two double quotes.  They looked all over the keyboard and couldn't find them.  "What, you mean this key with the three single quotes on it?"

     

      That's it!!


Log in to reply