commit 879d5c530628257a97526998f41c7b34143596c0 Author: Nicholas Guriev Date: Sat May 19 16:02:47 2018 +0300 Rewrite invocation of browser to fix tests * Add tests for fixes of argument injection. diff --git a/autotests/t-xdg-open.sh b/autotests/t-xdg-open.sh index c6490c7..dae9269 100755 --- a/autotests/t-xdg-open.sh +++ b/autotests/t-xdg-open.sh @@ -139,6 +139,15 @@ mock cyberdog BROWSER="cyberdog --url %s" run generic xdg-open 'http://www.freedesktop.org/; echo BUSTED' assert_run cyberdog --url 'http://www.freedesktop.org/; echo BUSTED' +unmock cyberdog + +test_that_it is not vulnerable to argument injection in URLs when using \ + \$BROWSER in generic mode +mock cyberdog +BROWSER="cyberdog --url %s" +run generic xdg-open 'http://www.freedesktop.org/ --evil-option' +assert_run cyberdog --url 'http://www.freedesktop.org/ --evil-option' +unmock cyberdog test_that_it opens files in generic mode test_generic_open_file test.txt diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in index 630e63e..bcc9896 100644 --- a/scripts/xdg-open.in +++ b/scripts/xdg-open.in @@ -366,13 +366,9 @@ open_generic_xdg_x_scheme_handler() fi } -has_single_argument() -{ - test $# = 1 -} - open_envvar() { + local url="$1" local oldifs="$IFS" local browser browser_with_arg @@ -385,12 +381,15 @@ open_envvar() fi if echo "$browser" | grep -q %s; then - # Avoid argument injection. + # Use loop to insert URL for avoid argument injection. # See https://bugs.freedesktop.org/show_bug.cgi?id=103807 - # URIs don't have IFS characters spaces anyway. - has_single_argument $1 && $(printf "$browser" "$1") + shift $# + for arg in $browser; do + set -- "$@" "$(printf -- "$arg" "$url")" + done + "$@" else - $browser "$1" + $browser "$url" fi if [ $? -eq 0 ]; then