From ab053fd4bbba25fda3eb34cf16188917c955ab7b Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Sat, 15 Nov 2014 13:58:45 -0600 Subject: [PATCH] xdg-open: command injection vulnerability (BR66670) --- ChangeLog | 3 +++ scripts/xdg-open.in | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3399286..505a4dd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ === xdg-utils 1.1.x === +2014-11-15 Rex Dieter + * xdg-open: command injection vulnerability (BR66670) + 2014-10-09 Rex Dieter * xdg-screensaver plasma5 support diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in index 0145be3..b2fe57b 100644 --- a/scripts/xdg-open.in +++ b/scripts/xdg-open.in @@ -186,17 +186,17 @@ search_desktop_file() # FIXME: Actually LC_MESSAGES should be used as described in # http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html localised_name="'$(get_key "${file}" "Name")'" - arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \ + arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*$arg_one*g' \ -e 's*%i*'"$icon"'*g' \ -e 's*%c*'"$localised_name"'*g')" if [ -x "$command_exec" ] ; then if echo "$arguments" | grep -iq '%[fFuU]' ; then echo START "$command_exec" "$arguments_exec" - eval "$command_exec" "$arguments_exec" + eval '$command_exec' '$arguments_exec' else echo START "$command_exec" "$arguments_exec" "$arg" - eval "$command_exec" "$arguments_exec" "$arg" + eval '$command_exec' '$arguments_exec' '$arg' fi if [ $? -eq 0 ]; then -- 1.9.3