<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW --- - xdg-open: command injection vulnerability" href="https://bugs.freedesktop.org/show_bug.cgi?id=66670">66670</a> </td> </tr> <tr> <th>Assignee</th> <td>portland-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Summary</th> <td>xdg-open: command injection vulnerability </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Classification</th> <td>Unclassified </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Reporter</th> <td>creffett@gentoo.org </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Component</th> <td>xdg-utils </td> </tr> <tr> <th>Product</th> <td>Portland </td> </tr></table> <p> <div> <pre>A Gentoo user discovered [1] a vulnerability in xdg-open which allows for arbitrary command injection. I was able to confirm it by running the following command, and it worked with both our packaged version of xdg-utils (1.1.0_rc1 plus some patches) and current git master: DE="generic" XDG_CURRENT_DESKTOP="" xdg-open '<a href="http://127.0.0.1/$(xterm">http://127.0.0.1/$(xterm</a>)' START /usr/bin/chromium-browser "<a href="http://127.0.0.1/$(xterm">http://127.0.0.1/$(xterm</a>)" That command should open an xterm terminal instead of chromium. Further details available at our bug. [1] <a href="https://bugs.gentoo.org/show_bug.cgi?id=472888">https://bugs.gentoo.org/show_bug.cgi?id=472888</a></pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>