Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.1:Rings:1-MinimalX
xdg-utils
0001-Avoid-argument-injection-vulnerability-in-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Avoid-argument-injection-vulnerability-in-open_envvar.patch of Package xdg-utils
From ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb Mon Sep 17 00:00:00 2001 From: Gabriel Corona <gabriel.corona@enst-bretagne.fr> Date: Mon, 19 Mar 2018 22:09:00 +0100 Subject: Avoid argument injection vulnerability in open_envvar() --- scripts/xdg-open.in | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in index 2972257..021524b 100644 --- a/scripts/xdg-open.in +++ b/scripts/xdg-open.in @@ -351,6 +351,11 @@ open_generic_xdg_x_scheme_handler() fi } +has_single_argument() +{ + test $# = 1 +} + open_envvar() { local oldifs="$IFS" @@ -365,7 +370,10 @@ open_envvar() fi if echo "$browser" | grep -q %s; then - $(printf "$browser" "$1") + # Avoid argument injection. + # See https://bugs.freedesktop.org/show_bug.cgi?id=103807 + # URIs don't have IFS characters spaces anyway. + has_single_argument $1 && $(printf "$browser" "$1") else $browser "$1" fi -- cgit v1.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor