[Portland-bugs] [Bug 66670] xdg-open: command injection vulnerability
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Thu Jan 22 00:12:18 PST 2015
https://bugs.freedesktop.org/show_bug.cgi?id=66670
--- Comment #20 from Florian Weimer <fweimer at redhat.com> ---
(In reply to Rex Dieter from comment #19)
> this test case, however, launches an xterm:
>
> DE="generic" XDG_CURRENT_DESKTOP="" xdg-open "http://127.0.0.1/$(xterm)"
>
>
> (note the difference here is the argument is double quotes, note single
> quote)
>
> I'll have to double-check if this is valid or not
This test case is not valid because the user's shell starts xterm before even
calling xdg-open. There is nothing xdg-open can do against this.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/portland-bugs/attachments/20150122/bfc11908/attachment.html>
More information about the Portland-bugs
mailing list