447662 – x11-misc/xdg-utils-1.1.0_rc1_p20120916 xdg-open does not escape filenames

Bug 447662 - x11-misc/xdg-utils-1.1.0_rc1_p20120916 xdg-open does not escape filenames

Summary: x11-misc/xdg-utils-1.1.0_rc1_p20120916 xdg-open does not escape filenames

Status:	RESOLVED TEST-REQUEST

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Freedesktop bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-12-18 05:42 UTC by Alex
Modified:	2015-11-22 16:19 UTC (History)
CC List:	0 users

See Also:	https://bugs.freedesktop.org/show_bug.cgi?id=58453
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex 2012-12-18 05:42:55 UTC

when doing xdg-open 'some (complex filename).jpg' file does not open

Reproducible: Always

Steps to Reproduce:
1.rename file 'section.zip' to 'section (df ).zip'
2.xdg-open 'xdg-open 'section (df ).zip'
Actual Results:  
xdg-open 'section (df ).zip' 
START /usr/bin/7zFM section (df ).zip
/usr/bin/xdg-open: eval: line 568: syntax error near unexpected token `('
/usr/bin/xdg-open: eval: line 568: `/usr/bin/7zFM section (df ).zip'


Expected Results:  
just open file

version of package

11:41 razor@localhost /home/razor/Downloads % eix -I xdg-utils
[I] x11-misc/xdg-utils
     Available versions:  1.1.0_rc1_p20120319^t (~)1.1.0_rc1_p20120916^t {doc +perl}
     Installed versions:  1.1.0_rc1_p20120916^t(19:15:05 03.12.2012)(perl -doc)
     Homepage:            http://portland.freedesktop.org/
     Description:         Portland utils for cross-platform/cross-toolkit/cross-desktop interoperability


xdg-open --version
% xdg-open --version
xdg-open 1.1.0 rc1

Comment 1 Alex 2012-12-18 05:52:08 UTC

diff --git a/xdg-open b/xdg-open
index 0958fdc..55ba2ad 100755
--- a/xdg-open
+++ b/xdg-open
@@ -562,10 +562,10 @@ search_desktop_file()
         if [ -x "$command_exec" ] ; then
             if echo $arguments | grep -iq '%[fFuU]' ; then
                 echo START $command_exec $arguments_exec
-                eval $command_exec $arguments_exec
+                eval "$command_exec '$arguments_exec'"
             else
                 echo START $command_exec $arguments_exec "$arg"
-                eval $command_exec $arguments_exec "$arg"
+                eval "$command_exec '$arguments_exec' '$arg'"
             fi
 
             if [ $? -eq 0 ]; then


Here is the quick and dirty patch

Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev

2012-12-18 06:21:13 UTC

I can't reproduce this problem here

$ xdg-open 'section $(df ).zip'
ark launches normally

Comment 3 Samuli Suominen (RETIRED) gentoo-dev

2012-12-18 06:45:07 UTC

We don't carry patches in xdg-utils package, since upstream is very active, please report this to http://bugzilla.freedesktop.org/ instead and then we can update the git snapshot in tree if it's accepted

Comment 4 Alex 2012-12-19 04:29:40 UTC

done

https://bugs.freedesktop.org/show_bug.cgi?id=58453

Comment 5 john.houwer 2013-06-09 19:08:02 UTC

On my system (amd64) xdg-open is vulnerable to command injection.

example: xdg-open 'http://$(xterm)'

With the upstream code (git) the command isn't executed.

Can someone reproduce this?

Thanks.

x11-misc/xdg-utils-1.1.0_rc1_p20120916 was built with the following:
USE="(multilib) perl -doc" ABI_X86="64"

Comment 6 Alexandre Rostovtsev (RETIRED) gentoo-dev

2013-06-23 21:12:36 UTC

I cannot reproduce the problem here with xdg-utils-1.1.0_rc1_p20120916

Possibly it's dependent on your shell. Are you using bash-4.2 as your /bin/sh, or something else?

Comment 7 john.houwer 2013-06-29 17:15:31 UTC

Bash: 4.2_p45
/bin/sh -> bash

Comment 8 Michael Palimaka (kensington) gentoo-dev

2015-11-22 16:19:09 UTC

x11-misc/xdg-utils-1.1.1 includes reworked xdg-open to be safer - please test.