Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 447662 - x11-misc/xdg-utils-1.1.0_rc1_p20120916 xdg-open does not escape filenames
Summary: x11-misc/xdg-utils-1.1.0_rc1_p20120916 xdg-open does not escape filenames
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Freedesktop bugs
Depends on:
Reported: 2012-12-18 05:42 UTC by Alex
Modified: 2015-11-22 16:19 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alex 2012-12-18 05:42:55 UTC
when doing xdg-open 'some (complex filename).jpg' file does not open

Reproducible: Always

Steps to Reproduce:
1.rename file '' to 'section (df ).zip'
2.xdg-open 'xdg-open 'section (df ).zip'
Actual Results:  
xdg-open 'section (df ).zip' 
START /usr/bin/7zFM section (df ).zip
/usr/bin/xdg-open: eval: line 568: syntax error near unexpected token `('
/usr/bin/xdg-open: eval: line 568: `/usr/bin/7zFM section (df ).zip'

Expected Results:  
just open file

version of package

11:41 razor@localhost /home/razor/Downloads % eix -I xdg-utils
[I] x11-misc/xdg-utils
     Available versions:  1.1.0_rc1_p20120319^t (~)1.1.0_rc1_p20120916^t {doc +perl}
     Installed versions:  1.1.0_rc1_p20120916^t(19:15:05 03.12.2012)(perl -doc)
     Description:         Portland utils for cross-platform/cross-toolkit/cross-desktop interoperability

xdg-open --version
% xdg-open --version
xdg-open 1.1.0 rc1
Comment 1 Alex 2012-12-18 05:52:08 UTC
diff --git a/xdg-open b/xdg-open
index 0958fdc..55ba2ad 100755
--- a/xdg-open
+++ b/xdg-open
@@ -562,10 +562,10 @@ search_desktop_file()
         if [ -x "$command_exec" ] ; then
             if echo $arguments | grep -iq '%[fFuU]' ; then
                 echo START $command_exec $arguments_exec
-                eval $command_exec $arguments_exec
+                eval "$command_exec '$arguments_exec'"
                 echo START $command_exec $arguments_exec "$arg"
-                eval $command_exec $arguments_exec "$arg"
+                eval "$command_exec '$arguments_exec' '$arg'"
             if [ $? -eq 0 ]; then

Here is the quick and dirty patch
Comment 2 Chí-Thanh Christopher Nguyễn gentoo-dev 2012-12-18 06:21:13 UTC
I can't reproduce this problem here

$ xdg-open 'section $(df ).zip'
ark launches normally
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2012-12-18 06:45:07 UTC
We don't carry patches in xdg-utils package, since upstream is very active, please report this to instead and then we can update the git snapshot in tree if it's accepted
Comment 5 john.houwer 2013-06-09 19:08:02 UTC
On my system (amd64) xdg-open is vulnerable to command injection.

example: xdg-open 'http://$(xterm)'

With the upstream code (git) the command isn't executed.

Can someone reproduce this?


x11-misc/xdg-utils-1.1.0_rc1_p20120916 was built with the following:
USE="(multilib) perl -doc" ABI_X86="64"
Comment 6 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-06-23 21:12:36 UTC
I cannot reproduce the problem here with xdg-utils-1.1.0_rc1_p20120916

Possibly it's dependent on your shell. Are you using bash-4.2 as your /bin/sh, or something else?
Comment 7 john.houwer 2013-06-29 17:15:31 UTC
Bash: 4.2_p45
/bin/sh -> bash
Comment 8 Michael Palimaka (kensington) gentoo-dev 2015-11-22 16:19:09 UTC
x11-misc/xdg-utils-1.1.1 includes reworked xdg-open to be safer - please test.