From 11a4bd44692f74a8b8b4615e44dc897c929ef1e5 Mon Sep 17 00:00:00 2001

From: Rex Dieter <rdieter@math.unl.edu>

Date: Mon, 5 Jan 2015 13:09:05 -0600

Subject: [PATCH 2/5] xdg-open: command injection vulnerability (BR66670)

---

 ChangeLog           | 3 +++

 scripts/xdg-open.in | 6 +++---

 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog

index 735fee7..e309517 100644

--- a/ChangeLog

+++ b/ChangeLog

@@ -1,5 +1,8 @@

 === xdg-utils 1.1.x ===

+2015-01-05 Rex Dieter <rdieter@fedoraproject.org>

+   * xdg-open: command injection vulnerability (BR66670)

+

 2015-01-04 Rex Dieter <rdieter@fedoraproject.org>

    * xdg-screensaver should control X11's screensaver in xfce as fallback (BR80089)

diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in

index 0145be3..9f01747 100644

--- a/scripts/xdg-open.in

+++ b/scripts/xdg-open.in

@@ -186,17 +186,17 @@ search_desktop_file()

         # FIXME: Actually LC_MESSAGES should be used as described in

         # http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html

         localised_name="'$(get_key "${file}" "Name")'"

-        arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*"'"$arg_one"'"*g' \

+        arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \

                                                   -e 's*%i*'"$icon"'*g' \

                                                   -e 's*%c*'"$localised_name"'*g')"

         if [ -x "$command_exec" ] ; then

             if echo "$arguments" | grep -iq '%[fFuU]' ; then

                 echo START "$command_exec" "$arguments_exec"

-                eval "$command_exec" "$arguments_exec"

+                eval "$command_exec" '$arguments_exec'

             else

                 echo START "$command_exec" "$arguments_exec" "$arg"

-                eval "$command_exec" "$arguments_exec" "$arg"

+                eval "$command_exec" '$arguments_exec' '$arg'

             fi

             if [ $? -eq 0 ]; then

-- 

2.1.0