Summary: | x11-misc/xdg-utils-1.1.0_rc1_p20120916 xdg-open does not escape filenames | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Alex <s9gf4ult> |
Component: | Current packages | Assignee: | Freedesktop bugs <freedesktop-bugs> |
Status: | RESOLVED TEST-REQUEST | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.freedesktop.org/show_bug.cgi?id=58453 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Alex
2012-12-18 05:42:55 UTC
diff --git a/xdg-open b/xdg-open index 0958fdc..55ba2ad 100755 --- a/xdg-open +++ b/xdg-open @@ -562,10 +562,10 @@ search_desktop_file() if [ -x "$command_exec" ] ; then if echo $arguments | grep -iq '%[fFuU]' ; then echo START $command_exec $arguments_exec - eval $command_exec $arguments_exec + eval "$command_exec '$arguments_exec'" else echo START $command_exec $arguments_exec "$arg" - eval $command_exec $arguments_exec "$arg" + eval "$command_exec '$arguments_exec' '$arg'" fi if [ $? -eq 0 ]; then Here is the quick and dirty patch I can't reproduce this problem here $ xdg-open 'section $(df ).zip' ark launches normally We don't carry patches in xdg-utils package, since upstream is very active, please report this to http://bugzilla.freedesktop.org/ instead and then we can update the git snapshot in tree if it's accepted On my system (amd64) xdg-open is vulnerable to command injection. example: xdg-open 'http://$(xterm)' With the upstream code (git) the command isn't executed. Can someone reproduce this? Thanks. x11-misc/xdg-utils-1.1.0_rc1_p20120916 was built with the following: USE="(multilib) perl -doc" ABI_X86="64" I cannot reproduce the problem here with xdg-utils-1.1.0_rc1_p20120916 Possibly it's dependent on your shell. Are you using bash-4.2 as your /bin/sh, or something else? Bash: 4.2_p45 /bin/sh -> bash x11-misc/xdg-utils-1.1.1 includes reworked xdg-open to be safer - please test. |