Avoid argument injection vulnerability in open_envvar()

author: Gabriel Corona <gabriel.corona@enst-bretagne.fr> 2018-03-19 22:09:00 +0100
committer: Rex Dieter <rdieter@gmail.com> 2018-05-09 14:14:05 -0500
commit: ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb (patch)
tree: 8169704b740974c7c62f1bf5be18d3468bc4c45e
parent: a9bf6d0a3fc771f5c4c1c5a8941e5234dc4f82bf (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in
index 2972257..021524b 100644
--- a/scripts/xdg-open.in
+++ b/scripts/xdg-open.in
@@ -351,6 +351,11 @@ open_generic_xdg_x_scheme_handler()
     fi
 }
 
+has_single_argument()
+{
+  test $# = 1
+}
+
 open_envvar()
 {
     local oldifs="$IFS"
@@ -365,7 +370,10 @@ open_envvar()
         fi
 
         if echo "$browser" | grep -q %s; then
-            $(printf "$browser" "$1")
+            # Avoid argument injection.
+            # See https://bugs.freedesktop.org/show_bug.cgi?id=103807
+            # URIs don't have IFS characters spaces anyway.
+            has_single_argument $1 && $(printf "$browser" "$1")
         else
             $browser "$1"
         fi
author	Gabriel Corona <gabriel.corona@enst-bretagne.fr>	2018-03-19 22:09:00 +0100
committer	Rex Dieter <rdieter@gmail.com>	2018-05-09 14:14:05 -0500
commit	ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb (patch)
tree	8169704b740974c7c62f1bf5be18d3468bc4c45e
parent	a9bf6d0a3fc771f5c4c1c5a8941e5234dc4f82bf (diff)