Description of problem: The generic handler of xdg-open (i.e. when not running in KDE, GNOME or XFCE) has the following code: browser_with_arg=`echo "$browser" | sed s#%s#"$1"#` if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1"; else $browser_with_arg; fi sed interprets any commands in the argument and the result is executed by the script. Version-Release number of selected component (if applicable): xdg-utils-1.0.2-2.fc8 How reproducible: Always Steps to Reproduce: 1. uninstall perl-File-MimeInfo package (not necessary with xdg-utils-1.0.2-3) 2. start plain X session 3. xdg-open 'http://foo.org/bar#;g;sx$xtouch:foox' Actual results: File foo created. Expected results: The page opened in a web browser. Additional info:
I proposed an un-embargo date of Monday 28th. Rex: Would it be possible to make a fix until then. Please do not commit a fix publicly until then. Also, I was not able to find a way to communicate a security sensitive information to upstream. Could you please assist with it?
xdg-email from the package has the same problem.
From upstream: A quick test showed that instead of the problematic sed command this should work as well browser_with_arg=${browser//'%s'/"$1"} However I have only tested this with /bin/sh being a symlink to /bin/bash, so it will still need testing for other shells.
Have anyone of you looked if this only affects Fedora 8?
I'm pretty sure this issue is valid pretty much everywhere xdg-utils is deployed, currently all supported fedora and epel releases.
This is public now: http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open.in?r1=1.17&r2=1.18 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?r1=1.24&r2=1.25 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37 Patch is in CVS and building now.
https://admin.fedoraproject.org/updates/F8/pending/xdg-utils-1.0.2-4.fc8 https://admin.fedoraproject.org/updates/F7/pending/xdg-utils-1.0.2-4.fc7
xdg-utils-1.0.2-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
xdg-utils-1.0.2-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
By the same token another use of sed in xdg-open can be eliminated. Like this: kfmclient_fix_exit_code() { test "$2" = "KDE:" || return 1 release="$3" release="${release%%[^0-9.]*}" major=${release%%.*} release=${release#$major.} minor=${release%%.*} release=${release#$minor.} test "$major" -gt 3 && return $1 test "$minor" -gt 5 && return $1 test "$release" -gt 4 && return $1 return 0 } and call it with kfmclient_fix_exit_code $? `kde-config --version 2>/dev/null | grep KDE`