From 11a4bd44692f74a8b8b4615e44dc897c929ef1e5 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Mon, 5 Jan 2015 13:09:05 -0600 Subject: [PATCH 2/2] xdg-open: command injection vulnerability (BR66670) --- ChangeLog | 3 +++ scripts/xdg-open.in | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 735fee7..e309517 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ === xdg-utils 1.1.x === +2015-01-05 Rex Dieter + * xdg-open: command injection vulnerability (BR66670) + 2015-01-04 Rex Dieter * xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089) diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in index 0145be3..9f01747 100644 --- a/scripts/xdg-open.in +++ b/scripts/xdg-open.in @@ -186,17 +186,17 @@ search_desktop_file() # FIXME: Actually LC_MESSAGES should be used as described in # http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html localised_name="'$(get_key "${file}" "Name")'" - arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \ + arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \ -e 's*%i*'"$icon"'*g' \ -e 's*%c*'"$localised_name"'*g')" if [ -x "$command_exec" ] ; then if echo "$arguments" | grep -iq '%[fFuU]' ; then echo START "$command_exec" "$arguments_exec" - eval "$command_exec" "$arguments_exec" + eval "$command_exec" '$arguments_exec' else echo START "$command_exec" "$arguments_exec" "$arg" - eval "$command_exec" "$arguments_exec" "$arg" + eval "$command_exec" '$arguments_exec' '$arg' fi if [ $? -eq 0 ]; then -- 1.9.3