Bug 21018 - xdg-utils incorrectly parses output, causing wrong output
Summary: xdg-utils incorrectly parses output, causing wrong output
Status: NEW
Alias: None
Product: Portland
Classification: Unclassified
Component: xdg-utils (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Fathi Boudra
QA Contact:
URL: https://bugs.edge.launchpad.net/ubunt...
Whiteboard:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2009-04-02 14:17 UTC by jamie
Modified: 2013-01-27 19:25 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Patch from Ubuntu bug (2.22 KB, patch)
2010-07-08 11:04 UTC, Andrew Starr-Bochicchio
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description jamie 2009-04-02 14:17:43 UTC
This bug was reported in the Ubuntu bug tracker as a security vulnerability. I do not feel it is a security vulnerability because it appears xdg-mime will at worst echo back the filename rather than the mimetype. Eg, from within a gnome session:

$ touch '/tmp/foo:runme'
$ KDE_FULL_SESSION=false GNOME_DESKTOP_SESSION_ID= xdg-mime query filetype /tmp/foo\:runme
runme

This is simply because info_kde(), info_gnome() and info_generic() use cut with a delimiter that if in the filename, causes unintended output. See the Ubuntu bug for details and a suggested patch.

xdg-utils 1.0.2 (1.0.2-6.1 on Ubuntu and Debian)
Comment 1 Andrew Starr-Bochicchio 2010-07-08 11:04:59 UTC
Created attachment 36854 [details] [review]
Patch from Ubuntu bug
Comment 2 dunric29a 2013-01-27 19:25:32 UTC
I can confirm the issue is still not fixed in xdg-utils 1.1.0, git snapshot from 2012-10-08.
Attached patch does work for me.
Please update in upstream.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.