<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - xdg-open: command injection vulnerability"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=66670#c4">Comment # 4</a>
              on <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - xdg-open: command injection vulnerability"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=66670">bug 66670</a>
              from <span class="vcard"><a class="email" href="mailto:rdieter@math.unl.edu" title="Rex Dieter <rdieter@math.unl.edu>"> <span class="fn">Rex Dieter</span></a>
</span></b>
        <pre>I'm starting to wonder if this is specific to xdg-utils at all.

Skipping xdg-open and running browsers directly:

/usr/bin/google-chrome-stable "<a href="http://127.0.0.1/$(xterm">http://127.0.0.1/$(xterm</a>)"
/usr/bin/firefox "<a href="http://127.0.0.1/$(xterm">http://127.0.0.1/$(xterm</a>)"

etc...

does exactly the same thing.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>