File 0001-Avoid-argument-injection-vulnerability-in-open_envvar.patch of Package xdg-utils.7563
Index: xdg-utils-20140630/scripts/xdg-open.in
===================================================================
--- xdg-utils-20140630.orig/scripts/xdg-open.in
+++ xdg-utils-20140630/scripts/xdg-open.in
@@ -241,6 +241,11 @@ open_generic_xdg_x_scheme_handler()
fi
}
+has_single_argument()
+{
+ test $# = 1
+}
+
open_generic()
{
# Paths or file:// URLs
@@ -277,23 +282,25 @@ open_generic()
open_generic_xdg_x_scheme_handler "$1"
+ oldifs="$IFS"
IFS=":"
for browser in $BROWSER; do
- if [ x"$browser" != x"" ]; then
-
- browser_with_arg=`printf "$browser" "$1" 2>/dev/null`
- if [ $? -ne 0 ]; then
- browser_with_arg=$browser;
- fi
+ IFS="$oldifs"
+ if [ -z "$browser" ]; then
+ continue
+ fi
- if [ x"$browser_with_arg" = x"$browser" ]; then
- eval '$browser "$1"'$xdg_redirect_output;
- else eval '$browser_with_arg'$xdg_redirect_output;
- fi
+ if echo "$browser" | grep -q %s; then
+ # Avoid argument injection.
+ # See https://bugs.freedesktop.org/show_bug.cgi?id=103807
+ # URIs don't have IFS characters spaces anyway.
+ has_single_argument $1 && $(printf "$browser" "$1")
+ else
+ $browser "$1"
+ fi
- if [ $? -eq 0 ]; then
- exit_success;
- fi
+ if [ $? -eq 0 ]; then
+ exit_success
fi
done
