Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 447662

Summary: x11-misc/xdg-utils-1.1.0_rc1_p20120916 xdg-open does not escape filenames
Product: Gentoo Linux Reporter: Alex <s9gf4ult>
Component: Current packagesAssignee: Freedesktop bugs <freedesktop-bugs>
Status: RESOLVED TEST-REQUEST    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.freedesktop.org/show_bug.cgi?id=58453
Whiteboard:
Package list:
Runtime testing required: ---

Description Alex 2012-12-18 05:42:55 UTC 
when doing xdg-open 'some (complex filename).jpg' file does not open

Reproducible: Always

Steps to Reproduce:
1.rename file 'section.zip' to 'section (df ).zip'
2.xdg-open 'xdg-open 'section (df ).zip'
Actual Results:  
xdg-open 'section (df ).zip' 
START /usr/bin/7zFM section (df ).zip
/usr/bin/xdg-open: eval: line 568: syntax error near unexpected token `('
/usr/bin/xdg-open: eval: line 568: `/usr/bin/7zFM section (df ).zip'


Expected Results:  
just open file

version of package

11:41 razor@localhost /home/razor/Downloads % eix -I xdg-utils
[I] x11-misc/xdg-utils
     Available versions:  1.1.0_rc1_p20120319^t (~)1.1.0_rc1_p20120916^t {doc +perl}
     Installed versions:  1.1.0_rc1_p20120916^t(19:15:05 03.12.2012)(perl -doc)
     Homepage:            http://portland.freedesktop.org/
     Description:         Portland utils for cross-platform/cross-toolkit/cross-desktop interoperability


xdg-open --version
% xdg-open --version
xdg-open 1.1.0 rc1
Comment 1 Alex 2012-12-18 05:52:08 UTC 
diff --git a/xdg-open b/xdg-open
index 0958fdc..55ba2ad 100755
--- a/xdg-open
+++ b/xdg-open
@@ -562,10 +562,10 @@ search_desktop_file()
         if [ -x "$command_exec" ] ; then
             if echo $arguments | grep -iq '%[fFuU]' ; then
                 echo START $command_exec $arguments_exec
-                eval $command_exec $arguments_exec
+                eval "$command_exec '$arguments_exec'"
             else
                 echo START $command_exec $arguments_exec "$arg"
-                eval $command_exec $arguments_exec "$arg"
+                eval "$command_exec '$arguments_exec' '$arg'"
             fi
 
             if [ $? -eq 0 ]; then


Here is the quick and dirty patch
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-12-18 06:21:13 UTC 
I can't reproduce this problem here

$ xdg-open 'section $(df ).zip'
ark launches normally
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2012-12-18 06:45:07 UTC 
We don't carry patches in xdg-utils package, since upstream is very active, please report this to http://bugzilla.freedesktop.org/ instead and then we can update the git snapshot in tree if it's accepted
Comment 5 john.houwer 2013-06-09 19:08:02 UTC 
On my system (amd64) xdg-open is vulnerable to command injection.

example: xdg-open 'http://$(xterm)'

With the upstream code (git) the command isn't executed.

Can someone reproduce this?

Thanks.

x11-misc/xdg-utils-1.1.0_rc1_p20120916 was built with the following:
USE="(multilib) perl -doc" ABI_X86="64"
Comment 6 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-06-23 21:12:36 UTC 
I cannot reproduce the problem here with xdg-utils-1.1.0_rc1_p20120916

Possibly it's dependent on your shell. Are you using bash-4.2 as your /bin/sh, or something else?
Comment 7 john.houwer 2013-06-29 17:15:31 UTC 
Bash: 4.2_p45
/bin/sh -> bash
Comment 8 Michael Palimaka (kensington) gentoo-dev 2015-11-22 16:19:09 UTC 
x11-misc/xdg-utils-1.1.1 includes reworked xdg-open to be safer - please test.