[Portland-bugs] [Bug 103807] Argument injection in xdg-open open_envvar
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sat May 19 15:59:55 UTC 2018
https://bugs.freedesktop.org/show_bug.cgi?id=103807
Nicholas Guriev <guriev-ns at ya.ru> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |guriev-ns at ya.ru
--- Comment #17 from Nicholas Guriev <guriev-ns at ya.ru> ---
Created attachment 139640
--> https://bugs.freedesktop.org/attachment.cgi?id=139640&action=edit
Another patch
Please consider this patch of the latest version 1.1.3. It fixes the issue in
another way. First a content of the $browser variable is split into separate
arguments, then the %s placeholder for printf is replaced with a URL while
keeping spaces that are passed to a browser in a single argument. So we avoid
passing extra parameters.
An advantage of this approach is that xdg-open doesn't display irrelevant error
message "no method available ..." (Something like "invalid argument" would be
more appropriate). This preserves the current behavior, and the utility still
tries to open even a slightly invalid URL.
The patch uses positional parameters for deal with arguments list to achieve
portability. Also I've added an auto-test of this vulnerability.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/portland-bugs/attachments/20180519/e2fc253b/attachment.html>
More information about the Portland-bugs
mailing list