Hi, When xdg-open 'http://127.0.0.1/$(xterm)' is run, the Script does no escaping and a xterm is started. If you run the script with -x you see the problem. + eval /usr/bin/firefox '"http://127.0.0.1/$(xterm)"' /usr/bin/firefox "http://127.0.0.1/$(xterm)" Injection of arbitrary commands is possible. Some applications don't validate the input to xdg-open. I was able to produce this behaviour with: 1.1.0_rc1_p20120319^t ~1.1.0_rc1_p20120916^t However I was unable to reproduce it with the freedesktop.org source (git). Yesterday I posted this bug to the similar bug: https://bugs.gentoo.org/show_bug.cgi?id=447662 But I think this here is the better choice. If you need more info, please contact me. Thank you. Regards John
The reported tested against upstream git and couldn't reproduce there.
I cannot reproduce the problem here with xdg-utils-1.1.0_rc1_p20120916 Possibly it's dependent on your shell. Are you using bash-4.2 as your /bin/sh, or something else?
Bash: 4.2_p45 /bin/sh -> bash
This triggers the problem: DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)" /usr/bin/xdg-open: line 558: xterm: command not found i.e. only when detectDE() does not find a supported desktop environment and xdg-open uses the open_generic() function.
I can confirm this as well. Should we request a CVE?
Filed upstream.
CVE-2014-9622 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9622): Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop environment is identified, allows context-dependent attackers to execute arbitrary code via the URL argument to xdg-open.
rc1 has been removed from the tree, upstream bug is fixed. @freedesktop, anything left to do?
Ping @freedesktop? Anything else needs to be done from your side?
Current stable still appears to be affected. I am going to CC arch teams in bug #558676 to take care of this.
This issue was resolved and addressed in GLSA 201701-09 at https://security.gentoo.org/glsa/201701-09 by GLSA coordinator Thomas Deutschmann (whissi).