From ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb Mon Sep 17 00:00:00 2001

From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

Date: Mon, 19 Mar 2018 22:09:00 +0100

Subject: [PATCH] Avoid argument injection vulnerability in open_envvar()

---

 scripts/xdg-open.in | 10 +++++++++-

 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in

index 2972257..021524b 100644

--- a/scripts/xdg-open.in

+++ b/scripts/xdg-open.in

@@ -351,6 +351,11 @@ open_generic_xdg_x_scheme_handler()

     fi

 }

+has_single_argument()

+{

+  test $# = 1

+}

+

 open_envvar()

 {

     local oldifs="$IFS"

@@ -365,7 +370,10 @@ open_envvar()

         fi

         if echo "$browser" | grep -q %s; then

-            $(printf "$browser" "$1")

+            # Avoid argument injection.

+            # See https://bugs.freedesktop.org/show_bug.cgi?id=103807

+            # URIs don't have IFS characters spaces anyway.

+            has_single_argument $1 && $(printf "$browser" "$1")

         else

             $browser "$1"

         fi

-- 

2.17.1