Attachment 111778 Details for Bug 66670 – Fix argument quoting to avoid execution

[patch] Fix argument quoting to avoid execution

0002-xdg-open-command-injection-vulnerability-BR66670.patch (text/plain), 1.96 KB, created by Rex Dieter on 2015-01-05 19:10:47 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Rex Dieter

Created: 2015-01-05 19:10:47 UTC

Size: 1.96 KB

patch

obsolete

>From 11a4bd44692f74a8b8b4615e44dc897c929ef1e5 Mon Sep 17 00:00:00 2001
>From: Rex Dieter <rdieter@math.unl.edu>
>Date: Mon, 5 Jan 2015 13:09:05 -0600
>Subject: [PATCH 2/2] xdg-open: command injection vulnerability (BR66670)
>
>---
> ChangeLog           | 3 +++
> scripts/xdg-open.in | 6 +++---
> 2 files changed, 6 insertions(+), 3 deletions(-)
>
>diff --git a/ChangeLog b/ChangeLog
>index 735fee7..e309517 100644
>--- a/ChangeLog
>+++ b/ChangeLog
>@@ -1,5 +1,8 @@
> === xdg-utils 1.1.x ===
> 
>+2015-01-05 Rex Dieter <rdieter@fedoraproject.org>
>+   * xdg-open: command injection vulnerability (BR66670)
>+
> 2015-01-04 Rex Dieter <rdieter@fedoraproject.org>
>    * xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089)
> 
>diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in
>index 0145be3..9f01747 100644
>--- a/scripts/xdg-open.in
>+++ b/scripts/xdg-open.in
>@@ -186,17 +186,17 @@ search_desktop_file()
>         # FIXME: Actually LC_MESSAGES should be used as described in
>         # http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html
>         localised_name="'$(get_key "${file}" "Name")'"
>-        arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \
>+        arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \
>                                                   -e 's*%i*'"$icon"'*g' \
>                                                   -e 's*%c*'"$localised_name"'*g')"
> 
>         if [ -x "$command_exec" ] ; then
>             if echo "$arguments" | grep -iq '%[fFuU]' ; then
>                 echo START "$command_exec" "$arguments_exec"
>-                eval "$command_exec" "$arguments_exec"
>+                eval "$command_exec" '$arguments_exec'
>             else
>                 echo START "$command_exec" "$arguments_exec" "$arg"
>-                eval "$command_exec" "$arguments_exec" "$arg"
>+                eval "$command_exec" '$arguments_exec' '$arg'
>             fi
> 
>             if [ $? -eq 0 ]; then
>-- 
>1.9.3
>

Actions: View | Splinter Review

Attachments on bug 66670: 109536 | 111778 | 111873 | 111874

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.