[Portland-bugs] [Bug 21018] New: xdg-utils incorrectly parses output, causing wrong output

Thu Apr 2 14:17:44 PDT 2009

http://bugs.freedesktop.org/show_bug.cgi?id=21018

           Summary: xdg-utils incorrectly parses output, causing wrong
                    output
           Product: Portland
           Version: unspecified
          Platform: Other
               URL: https://bugs.edge.launchpad.net/ubuntu/+source/xdg-
                    utils/+bug/335643
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: xdg-utils
        AssignedTo: portland-bugs at lists.freedesktop.org
        ReportedBy: jamie at canonical.com

This bug was reported in the Ubuntu bug tracker as a security vulnerability. I
do not feel it is a security vulnerability because it appears xdg-mime will at
worst echo back the filename rather than the mimetype. Eg, from within a gnome
session:

$ touch '/tmp/foo:runme'
$ KDE_FULL_SESSION=false GNOME_DESKTOP_SESSION_ID= xdg-mime query filetype
/tmp/foo\:runme
runme

This is simply because info_kde(), info_gnome() and info_generic() use cut with
a delimiter that if in the filename, causes unintended output. See the Ubuntu
bug for details and a suggested patch.

xdg-utils 1.0.2 (1.0.2-6.1 on Ubuntu and Debian)

-- 
Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.