Bug 66670

Summary: xdg-open: command injection vulnerability
Product: Portland Reporter: Chris Reffett <creffett>
Component: xdg-utilsAssignee: Portland Bugs <portland-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: highest CC: ainsaar, alan.coopersmith, freedesktop-bugs, fweimer, rdieter, wally
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 23105    
Attachments: Fix argument quoting to avoid evaluation
Fix argument quoting to avoid execution
nuke some extra quoting
Fix argument quoting to avoid execution

Description Chris Reffett 2013-07-07 15:09:03 UTC 
A Gentoo user discovered [1] a vulnerability in xdg-open which allows for arbitrary command injection. I was able to confirm it by running the following command, and it worked with both our packaged version of xdg-utils (1.1.0_rc1 plus some patches) and current git master:

DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)"

That command should open an xterm terminal instead of chromium. Further details available at our bug.

[1] https://bugs.gentoo.org/show_bug.cgi?id=472888
Comment 1 Chris Reffett 2013-07-07 15:28:09 UTC 
This looks kind of similar to CVE-2008-0386 [1], though I don't believe shell metacharacters are the issue here. Different causes, similar impact.
Comment 2 Rex Dieter 2014-11-14 23:07:53 UTC 
Reminded of this today, will take a closer look over the weekend.
Comment 3 Alan Coopersmith 2014-11-15 17:56:47 UTC 
Posted to full-disclosure security mailing list yesterday:
http://seclists.org/fulldisclosure/2014/Nov/36
Comment 4 Rex Dieter 2014-11-15 19:06:37 UTC 
I'm starting to wonder if this is specific to xdg-utils at all.

Skipping xdg-open and running browsers directly:

/usr/bin/google-chrome-stable "http://127.0.0.1/$(xterm)"
/usr/bin/firefox "http://127.0.0.1/$(xterm)"

etc...

does exactly the same thing.
Comment 5 Rex Dieter 2014-11-15 19:07:58 UTC 
Ah, but using ' instead of " quotes, leads to something that avoids shell expansion, maybe we can simply go with that.
Comment 6 Rex Dieter 2014-11-15 19:50:01 UTC 
Related here is bug #30453 and commit:
http://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=a616912e48b7ff1d908852739d16525df79471b9

Got some apparent extraneous quoting going on
Comment 7 Rex Dieter 2014-11-15 20:02:09 UTC 
Created attachment 109536 [details] [review]
Fix argument quoting to avoid evaluation

First try to address argument quoting issues.  Seems to fix test-case ok, trying other use-cases to verify no regressions.  Please test.
Comment 8 Rex Dieter 2015-01-04 04:09:39 UTC 
Any feedback here or alternative patches?
Comment 9 Michael Gilbert 2015-01-04 19:36:14 UTC 
The proposed changes cause a regression.  See http://bugs.debian.org/773085.
Comment 10 Rex Dieter 2015-01-05 19:10:47 UTC 
Created attachment 111778 [details] [review]
Fix argument quoting to avoid execution

second try, please test.
Comment 11 Michael Gilbert 2015-01-06 22:04:12 UTC 
There is still a regression.  File names with spaces won't work.
Comment 12 Rex Dieter 2015-01-06 22:23:24 UTC 
OK, rats, back to the drawing board, I'll have to work harder to find a way to make it work while avoiding any 'eval'
Comment 13 Rex Dieter 2015-01-06 23:40:47 UTC 
Created attachment 111873 [details] [review]
nuke some extra quoting

first step to proper fix
Comment 14 Rex Dieter 2015-01-06 23:42:35 UTC 
Created attachment 111874 [details] [review]
Fix argument quoting to avoid execution

try wrapping vars in "' ... '"
Comment 15 Rex Dieter 2015-01-19 11:20:39 UTC 
Haven't heard any complaints, so...

Committed the latest approach,
http://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ab071beaabb62ceda3028dd5efa85e8057c29006
Comment 16 Geert Janssens 2015-01-21 19:59:09 UTC 
I'm confused. How exactly can I verify the patch is fixing the arbitrary command injection vulnerability ?

I have installed xdg-utils-1.1.0-0.35.rc3.fc20, which should carry the patch.

However the test command

DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)"

opens en xterm both before I installed the test package and after.

I would have thought that the new package was supposed open my default browser (being firefox).

The package that was installed before the update was
xdg-utils.noarch 0:1.1.0-0.31.rc2.fc20
Comment 17 Rex Dieter 2015-01-21 23:44:13 UTC 
I cannot reproduce it anymore.

What shell are you using?
Comment 18 Rex Dieter 2015-01-21 23:45:29 UTC 
fWiw, I get:

$ DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)
START /usr/bin/google-chrome-stable http://127.0.0.1/$(xterm)

With a browser window with url:  http://127.0.0.1/$(xterm)
Comment 19 Rex Dieter 2015-01-21 23:47:15 UTC 
this test case, however, launches an xterm:

DE="generic" XDG_CURRENT_DESKTOP="" xdg-open "http://127.0.0.1/$(xterm)"


(note the difference here is the argument is double quotes, note single quote)

I'll have to double-check if this is valid or not
Comment 20 Florian Weimer 2015-01-22 08:12:18 UTC 
(In reply to Rex Dieter from comment #19)
> this test case, however, launches an xterm:
> 
> DE="generic" XDG_CURRENT_DESKTOP="" xdg-open "http://127.0.0.1/$(xterm)"
> 
> 
> (note the difference here is the argument is double quotes, note single
> quote)
> 
> I'll have to double-check if this is valid or not

This test case is not valid because the user's shell starts xterm before even calling xdg-open.  There is nothing xdg-open can do against this.
Comment 21 Rex Dieter 2015-01-22 12:29:34 UTC 
Thanks, I came to the same conclusion

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.