Bug 89130 - safer xdg-open
Summary: safer xdg-open
Status: RESOLVED FIXED
Alias: None
Product: Portland
Classification: Unclassified
Component: xdg-utils (show other bugs)
Version: 1.1.0 rc1
Hardware: All Linux (All)
: medium normal
Assignee: Portland Bugs
QA Contact:
URL: https://bugs.freedesktop.org/66670
Whiteboard:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2015-02-13 06:34 UTC by Michael Gilbert
Modified: 2015-02-20 22:00 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
xdg-open-safe.diff (3.18 KB, text/plain)
2015-02-13 06:35 UTC, Michael Gilbert 		Details
View All

Description Michael Gilbert 2015-02-13 06:34:28 UTC 
In Debian, additional changes for CVE-2014-9622 were added for safer parsing:
https://bugs.freedesktop.org/66670
https://bugs.debian.org/773085

The Debian patch is attached.  It applies to an older release candidate, so may not apply cleanly.
Comment 1 Michael Gilbert 2015-02-13 06:35:40 UTC 
Created attachment 113448 [details]
xdg-open-safe.diff
Comment 2 Rex Dieter 2015-02-13 12:46:18 UTC 
Thanks!

Offhand, this does look like a much better approach.
Comment 3 Rex Dieter 2015-02-20 18:21:22 UTC 
Boo, similar to bug #89129 , this patch was generated against a much older version of xdg-utils and no longer applies as-is.

I'll see if I can rework it.
Comment 4 Rex Dieter 2015-02-20 22:00:56 UTC 
Adapted it with only little fuss, thanks again. :)

http://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=13d9b0cac97e438bf7dc06452ee7fb3480907d88

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.