[Portland-bugs] [Bug 66670] New: xdg-open: command injection vulnerability

Sun Jul 7 08:09:03 PDT 2013

https://bugs.freedesktop.org/show_bug.cgi?id=66670

          Priority: medium
            Bug ID: 66670
          Assignee: portland-bugs at lists.freedesktop.org
           Summary: xdg-open: command injection vulnerability
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: creffett at gentoo.org
          Hardware: Other
            Status: NEW
           Version: unspecified
         Component: xdg-utils
           Product: Portland

A Gentoo user discovered [1] a vulnerability in xdg-open which allows for
arbitrary command injection. I was able to confirm it by running the following
command, and it worked with both our packaged version of xdg-utils (1.1.0_rc1
plus some patches) and current git master:

DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START
/usr/bin/chromium-browser "http://127.0.0.1/$(xterm)"

That command should open an xterm terminal instead of chromium. Further details
available at our bug.

[1] https://bugs.gentoo.org/show_bug.cgi?id=472888

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/portland-bugs/attachments/20130707/8248d05d/attachment.html>