is run, the Script does no escaping and a xterm is started.
If you run the script with -x you see the problem.
+ eval /usr/bin/firefox '"http://127.0.0.1/$(xterm)"'
Injection of arbitrary commands is possible. Some applications don't validate the input to xdg-open.
I was able to produce this behaviour with:
However I was unable to reproduce it with the freedesktop.org source (git).
Yesterday I posted this bug to the similar bug:
But I think this here is the better choice.
If you need more info, please contact me.
The reported tested against upstream git and couldn't reproduce there.
I cannot reproduce the problem here with xdg-utils-1.1.0_rc1_p20120916
Possibly it's dependent on your shell. Are you using bash-4.2 as your /bin/sh, or something else?
/bin/sh -> bash
This triggers the problem:
DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)'
START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)"
/usr/bin/xdg-open: line 558: xterm: command not found
i.e. only when detectDE() does not find a supported desktop environment and xdg-open uses the open_generic() function.
I can confirm this as well. Should we request a CVE?
Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported
desktop environment is identified, allows context-dependent attackers to
execute arbitrary code via the URL argument to xdg-open.
rc1 has been removed from the tree, upstream bug is fixed.
@freedesktop, anything left to do?
Ping @freedesktop? Anything else needs to be done from your side?
Current stable still appears to be affected. I am going to CC arch teams in bug #558676 to take care of this.
This issue was resolved and addressed in
GLSA 201701-09 at https://security.gentoo.org/glsa/201701-09
by GLSA coordinator Thomas Deutschmann (whissi).