[Portland-bugs] [Bug 66670] xdg-open: command injection vulnerability
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Jan 21 11:59:09 PST 2015
https://bugs.freedesktop.org/show_bug.cgi?id=66670
--- Comment #16 from Geert Janssens <geert at kobaltwit.be> ---
I'm confused. How exactly can I verify the patch is fixing the arbitrary
command injection vulnerability ?
I have installed xdg-utils-1.1.0-0.35.rc3.fc20, which should carry the patch.
However the test command
DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START
/usr/bin/chromium-browser "http://127.0.0.1/$(xterm)"
opens en xterm both before I installed the test package and after.
I would have thought that the new package was supposed open my default browser
(being firefox).
The package that was installed before the update was
xdg-utils.noarch 0:1.1.0-0.31.rc2.fc20
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/portland-bugs/attachments/20150121/7c197782/attachment.html>
More information about the Portland-bugs
mailing list