xdg-utils/CVE-2017-18266.patch

From ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb Mon Sep 17 00:00:00 2001
From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>
Date: Mon, 19 Mar 2018 22:09:00 +0100
Subject: [PATCH] Avoid argument injection vulnerability in open_envvar()

---
 scripts/xdg-open.in | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in
index 2972257..021524b 100644
--- a/scripts/xdg-open.in
+++ b/scripts/xdg-open.in
@@ -351,6 +351,11 @@ open_generic_xdg_x_scheme_handler()
     fi
 }
 
+has_single_argument()
+{
+  test $# = 1
+}
+
 open_envvar()
 {
     local oldifs="$IFS"
@@ -365,7 +370,10 @@ open_envvar()
         fi
 
         if echo "$browser" | grep -q %s; then
-            $(printf "$browser" "$1")
+            # Avoid argument injection.
+            # See https://bugs.freedesktop.org/show_bug.cgi?id=103807
+            # URIs don't have IFS characters spaces anyway.
+            has_single_argument $1 && $(printf "$browser" "$1")
         else
             $browser "$1"
         fi
-- 
2.17.1
Auto sync2gitlab import of xdg-utils-1.1.2-5.el8.src.rpm 2022-05-26 20:17:48 +00:00			`From ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb Mon Sep 17 00:00:00 2001`
			`From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>`
			`Date: Mon, 19 Mar 2018 22:09:00 +0100`
			`Subject: [PATCH] Avoid argument injection vulnerability in open_envvar()`

			`---`
			`scripts/xdg-open.in \| 10 +++++++++-`
			`1 file changed, 9 insertions(+), 1 deletion(-)`

			`diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in`
			`index 2972257..021524b 100644`
			`--- a/scripts/xdg-open.in`
			`+++ b/scripts/xdg-open.in`
			`@@ -351,6 +351,11 @@ open_generic_xdg_x_scheme_handler()`
			`fi`
			`}`

			`+has_single_argument()`
			`+{`
			`+ test $# = 1`
			`+}`
			`+`
			`open_envvar()`
			`{`
			`local oldifs="$IFS"`
			`@@ -365,7 +370,10 @@ open_envvar()`
			`fi`

			`if echo "$browser" \| grep -q %s; then`
			`- $(printf "$browser" "$1")`
			`+ # Avoid argument injection.`
			`+ # See https://bugs.freedesktop.org/show_bug.cgi?id=103807`
			`+ # URIs don't have IFS characters spaces anyway.`
			`+ has_single_argument $1 && $(printf "$browser" "$1")`
			`else`
			`$browser "$1"`
			`fi`
			`--`
			`2.17.1`