Bug 66670 - xdg-open: command injection vulnerability
Summary: xdg-open: command injection vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Portland
Classification: Unclassified
Component: xdg-utils (show other bugs)
Version: unspecified
Hardware: Other All
: highest normal
Assignee: Portland Bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 23105
  Show dependency treegraph
 
Reported: 2013-07-07 15:09 UTC by Chris Reffett
Modified: 2015-01-22 12:29 UTC (History)
6 users (show)

See Also:
i915 platform:
i915 features:


Attachments
Fix argument quoting to avoid evaluation (1.90 KB, patch)
2014-11-15 20:02 UTC, Rex Dieter
Details | Splinter Review
Fix argument quoting to avoid execution (1.96 KB, patch)
2015-01-05 19:10 UTC, Rex Dieter
Details | Splinter Review
nuke some extra quoting (1.02 KB, patch)
2015-01-06 23:40 UTC, Rex Dieter
Details | Splinter Review
Fix argument quoting to avoid execution (1.44 KB, patch)
2015-01-06 23:42 UTC, Rex Dieter
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Reffett 2013-07-07 15:09:03 UTC
A Gentoo user discovered [1] a vulnerability in xdg-open which allows for arbitrary command injection. I was able to confirm it by running the following command, and it worked with both our packaged version of xdg-utils (1.1.0_rc1 plus some patches) and current git master:

DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)"

That command should open an xterm terminal instead of chromium. Further details available at our bug.

[1] https://bugs.gentoo.org/show_bug.cgi?id=472888
Comment 1 Chris Reffett 2013-07-07 15:28:09 UTC
This looks kind of similar to CVE-2008-0386 [1], though I don't believe shell metacharacters are the issue here. Different causes, similar impact.
Comment 2 Rex Dieter 2014-11-14 23:07:53 UTC
Reminded of this today, will take a closer look over the weekend.
Comment 3 Alan Coopersmith 2014-11-15 17:56:47 UTC
Posted to full-disclosure security mailing list yesterday:
http://seclists.org/fulldisclosure/2014/Nov/36
Comment 4 Rex Dieter 2014-11-15 19:06:37 UTC
I'm starting to wonder if this is specific to xdg-utils at all.

Skipping xdg-open and running browsers directly:

/usr/bin/google-chrome-stable "http://127.0.0.1/$(xterm)"
/usr/bin/firefox "http://127.0.0.1/$(xterm)"

etc...

does exactly the same thing.
Comment 5 Rex Dieter 2014-11-15 19:07:58 UTC
Ah, but using ' instead of " quotes, leads to something that avoids shell expansion, maybe we can simply go with that.
Comment 6 Rex Dieter 2014-11-15 19:50:01 UTC
Related here is bug #30453 and commit:
http://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=a616912e48b7ff1d908852739d16525df79471b9

Got some apparent extraneous quoting going on
Comment 7 Rex Dieter 2014-11-15 20:02:09 UTC
Created attachment 109536 [details] [review]
Fix argument quoting to avoid evaluation

First try to address argument quoting issues.  Seems to fix test-case ok, trying other use-cases to verify no regressions.  Please test.
Comment 8 Rex Dieter 2015-01-04 04:09:39 UTC
Any feedback here or alternative patches?
Comment 9 Michael Gilbert 2015-01-04 19:36:14 UTC
The proposed changes cause a regression.  See http://bugs.debian.org/773085.
Comment 10 Rex Dieter 2015-01-05 19:10:47 UTC
Created attachment 111778 [details] [review]
Fix argument quoting to avoid execution

second try, please test.
Comment 11 Michael Gilbert 2015-01-06 22:04:12 UTC
There is still a regression.  File names with spaces won't work.
Comment 12 Rex Dieter 2015-01-06 22:23:24 UTC
OK, rats, back to the drawing board, I'll have to work harder to find a way to make it work while avoiding any 'eval'
Comment 13 Rex Dieter 2015-01-06 23:40:47 UTC
Created attachment 111873 [details] [review]
nuke some extra quoting

first step to proper fix
Comment 14 Rex Dieter 2015-01-06 23:42:35 UTC
Created attachment 111874 [details] [review]
Fix argument quoting to avoid execution

try wrapping vars in "' ... '"
Comment 15 Rex Dieter 2015-01-19 11:20:39 UTC
Haven't heard any complaints, so...

Committed the latest approach,
http://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ab071beaabb62ceda3028dd5efa85e8057c29006
Comment 16 Geert Janssens 2015-01-21 19:59:09 UTC
I'm confused. How exactly can I verify the patch is fixing the arbitrary command injection vulnerability ?

I have installed xdg-utils-1.1.0-0.35.rc3.fc20, which should carry the patch.

However the test command

DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)' START /usr/bin/chromium-browser "http://127.0.0.1/$(xterm)"

opens en xterm both before I installed the test package and after.

I would have thought that the new package was supposed open my default browser (being firefox).

The package that was installed before the update was
xdg-utils.noarch 0:1.1.0-0.31.rc2.fc20
Comment 17 Rex Dieter 2015-01-21 23:44:13 UTC
I cannot reproduce it anymore.

What shell are you using?
Comment 18 Rex Dieter 2015-01-21 23:45:29 UTC
fWiw, I get:

$ DE="generic" XDG_CURRENT_DESKTOP="" xdg-open 'http://127.0.0.1/$(xterm)
START /usr/bin/google-chrome-stable http://127.0.0.1/$(xterm)

With a browser window with url:  http://127.0.0.1/$(xterm)
Comment 19 Rex Dieter 2015-01-21 23:47:15 UTC
this test case, however, launches an xterm:

DE="generic" XDG_CURRENT_DESKTOP="" xdg-open "http://127.0.0.1/$(xterm)"


(note the difference here is the argument is double quotes, note single quote)

I'll have to double-check if this is valid or not
Comment 20 Florian Weimer 2015-01-22 08:12:18 UTC
(In reply to Rex Dieter from comment #19)
> this test case, however, launches an xterm:
> 
> DE="generic" XDG_CURRENT_DESKTOP="" xdg-open "http://127.0.0.1/$(xterm)"
> 
> 
> (note the difference here is the argument is double quotes, note single
> quote)
> 
> I'll have to double-check if this is valid or not

This test case is not valid because the user's shell starts xterm before even calling xdg-open.  There is nothing xdg-open can do against this.
Comment 21 Rex Dieter 2015-01-22 12:29:34 UTC
Thanks, I came to the same conclusion


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.