[Portland-bugs] [Bug 103807] Argument injection in xdg-open open_envvar
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon May 14 09:11:49 UTC 2018
https://bugs.freedesktop.org/show_bug.cgi?id=103807
--- Comment #12 from Gabriel Corona <gabriel.corona at enst-bretagne.fr> ---
Karol, this happens because of command expansion in your shell, before xdg-open
is even called:
false "https://google.com$(touch /tmp/testfile)"
This command also creates a temporary file which demonstrates that this is not
a problem with xdg-open.
The correct way to try this is to use single quotes in order to prevent command
expansion in your shell:
BROWSER="firefox %s" xdg-open 'https://google.com$(touch /tmp/testfile)'
This command does not create a temporary file.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/portland-bugs/attachments/20180514/6912138f/attachment.html>
More information about the Portland-bugs
mailing list