Command arguments not escaped when opening link/email addresses
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Sakura |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When executing xdg-{open,email} to open a URL, the URL is not escaped properly.
This becomes evident when opening a URL like:
Where sakura shows an error dialog:
Couldn't exec ".../xdg-open http://
This *could* be fixed by escaping the arguments, but it would be better to use g_spawn_async and construct the argv array manually rather than building a command line string and then parsing it immediately afterwards (which g_spawn_
This is probably not a security issue. Because glib parses the command line internally and calls exec using the resulting argv array (the command string is not passed directly to sh), meaning injection of shell control characters should not be possible.
Attaching a patch with a fix.
Related branches
- No reviews requested
Changed in sakura: | |
status: | Fix Committed → Fix Released |
Thanks, patch commited.