From 4bd30419c5f404f2a108c5a6bbda0e40551ffd24 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Tue, 6 Jan 2015 17:39:05 -0600 Subject: [PATCH 3/3] xdg-open: command injection vulnerability (BR66670) --- ChangeLog | 3 +++ scripts/xdg-open.in | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 735fee7..65df80c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ === xdg-utils 1.1.x === +2015-01-06 Rex Dieter + * xdg-open: command injection vulnerability (BR66670) + 2015-01-04 Rex Dieter * xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089) diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in index c12dcdd..b6045f8 100644 --- a/scripts/xdg-open.in +++ b/scripts/xdg-open.in @@ -193,10 +193,10 @@ search_desktop_file() if [ -x "$command_exec" ] ; then if echo "$arguments" | grep -iq '%[fFuU]' ; then echo START "$command_exec" "$arguments_exec" - eval "$command_exec" "$arguments_exec" + eval "'$command_exec'" "'$arguments_exec'" else echo START "$command_exec" "$arguments_exec" "$arg" - eval "$command_exec" "$arguments_exec" "$arg" + eval "'$command_exec'" "'$arguments_exec'" "'$arg'" fi if [ $? -eq 0 ]; then -- 2.1.0