A Debian user reported a different command injection issue recently, and proposed a patch too: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=xdg-open.diff;att=1;bug=777722 Seems to do with local variable usage that isn't really local. For more detail, see: https://bugs.debian.org/777722
The code has diverged a bit in git so that patch no longer applies. But good news: the current code should be safe(r), since all uses of local $var are initialized to avoid the problem, in particular, the code closest to what this patch touches now contains: search_desktop_file() { local default="$1" local dir="$2" local arg="$3" local file="" # look for both vendor-app.desktop, vendor/app.desktop ... Lastly, with test case given in debian report, I cannot reproduce in fedora 20 at least. $ cat testme testme() { x=backfromthedead local x echo $x } $ bash testme $ dash testme $ rpm -q bash dash bash-4.2.53-2.fc20.i686 dash-0.5.8-1.fc20.i686
The script you ran lacks the actual function call, the call to "testme" at the end. It should be: $ cat testme testme() { x=backfromthedead local x echo $x } testme
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.