Implement qubes.OpenURL service instead of wrapping URLs in HTML

This have many advantages:
 - prevent XSS (QubesOS/qubes-issues#1462)
 - use default browser instead of default HTML viewer
 - better qrexec policy control
 - easier to control where are opened files vs URLs

For now allow only http(s):// and ftp:// addresses (especially prevent
file://). But this list can be easily extended.

QubesOS/qubes-issues#1462
Fixes QubesOS/qubes-issues#1487

Makefile

@@ -203,7 +203,6 @@ install-common:
 	install -m 0755 misc/qubes-session-autostart $(DESTDIR)/usr/bin/qubes-session-autostart
 
 	install qubes-rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-move-to-vm,qvm-run,qvm-mru-entry} $(DESTDIR)/usr/bin
-	install qubes-rpc/wrap-in-html-if-url.sh $(DESTDIR)$(LIBDIR)/qubes
 	install qubes-rpc/qvm-copy-to-vm.kde $(DESTDIR)$(LIBDIR)/qubes
 	install qubes-rpc/qvm-copy-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes
 	install qubes-rpc/qvm-move-to-vm.kde $(DESTDIR)$(LIBDIR)/qubes
@@ -222,6 +221,7 @@ install-common:
 	install -m 0644 qubes-rpc/{qvm-copy.desktop,qvm-move.desktop,qvm-dvm.desktop} $(DESTDIR)/$(KDESERVICEDIR)
 	install -d $(DESTDIR)/etc/qubes-rpc
 	install -m 0644 qubes-rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell,qubes.SyncNtpClock} $(DESTDIR)/etc/qubes-rpc
+	install -m 0755 qubes-rpc/qubes.OpenURL $(DESTDIR)/etc/qubes-rpc
 	install -m 0644 qubes-rpc/{qubes.SuspendPre,qubes.SuspendPost,qubes.GetAppmenus} $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.SuspendPreAll $(DESTDIR)/etc/qubes-rpc
 	install -m 0755 qubes-rpc/qubes.SuspendPostAll $(DESTDIR)/etc/qubes-rpc

qubes-rpc/qubes.OpenURL

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+read url
+
+case "$url" in
+    http://*|\
+    https://*|\
+    ftp://*)
+        exec qubes-open "$url"
+        ;;
+    *)
+        echo "Invalid URL" >&2
+        exit 1
+        ;;
+esac
+

qubes-rpc/qvm-open-in-dvm

@@ -25,7 +25,4 @@ if ! [ $# = 1 ] ; then
 	exit 1
 fi
 
-. /usr/lib/qubes/wrap-in-html-if-url.sh
-wrap_in_html_if_url "$1"
-
-exec /usr/lib/qubes/qrexec-client-vm '$dispvm' qubes.OpenInVM "/usr/lib/qubes/qopen-in-vm" "$FILE_ARGUMENT"
+exec qvm-open-in-vm '$dispvm' "$1"

qubes-rpc/qvm-open-in-vm

@@ -24,6 +24,12 @@ if ! [ $# = 2 ] ; then
 	echo "Usage: $0 vmname filename"
 	exit 1
 fi
-. /usr/lib/qubes/wrap-in-html-if-url.sh
-wrap_in_html_if_url "$2"
-exec /usr/lib/qubes/qrexec-client-vm "$1" qubes.OpenInVM "/usr/lib/qubes/qopen-in-vm" "$FILE_ARGUMENT"
+
+case "$2" in
+	*://*)
+        exec /usr/lib/qubes/qrexec-client-vm "$1" qubes.OpenURL /bin/echo "$2"
+        ;;
+    *)
+        exec /usr/lib/qubes/qrexec-client-vm "$1" qubes.OpenInVM "/usr/lib/qubes/qopen-in-vm" "$2"
+        ;;
+esac

qubes-rpc/wrap-in-html-if-url.sh

@@ -1,19 +0,0 @@
-#!/bin/sh
-
-wrap_in_html_if_url()
-{
-	case "$1" in
-	*://*)
-		FILE_ARGUMENT=$(mktemp)
-
-		echo -n '<html><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>'
-        echo -n '<meta HTTP-EQUIV="REFRESH" content="0; url=' > $FILE_ARGUMENT
-		echo -n "$1" | sed 's/&/\&amp;/g; s/</\&lt;/g; s/>/\&gt;/g; s/"/\&quot;/g; s/'"'"'/\&#39;/g' >> $FILE_ARGUMENT
-		echo '"/></html>' >> $FILE_ARGUMENT
-		;;
-	*)
-		FILE_ARGUMENT="$1"
-		;;
-	esac
-}
-

rpm_spec/core-vm.spec

@@ -333,6 +333,7 @@ rm -f %{name}-%{version}
 %dir /etc/qubes-rpc
 %config(noreplace) /etc/qubes-rpc/qubes.Filecopy
 %config(noreplace) /etc/qubes-rpc/qubes.OpenInVM
+%config(noreplace) /etc/qubes-rpc/qubes.OpenURL
 %config(noreplace) /etc/qubes-rpc/qubes.GetAppmenus
 %config(noreplace) /etc/qubes-rpc/qubes.VMShell
 %config(noreplace) /etc/qubes-rpc/qubes.SyncNtpClock
@@ -415,7 +416,6 @@ rm -f %{name}-%{version}
 /usr/lib/qubes/setup-ip
 /usr/lib/qubes/tar2qfile
 /usr/lib/qubes/vm-file-editor
-/usr/lib/qubes/wrap-in-html-if-url.sh
 /usr/lib/qubes/iptables-updates-proxy
 /usr/lib/qubes/close-window
 /usr/lib/qubes/xdg-icon