Sakura

Command arguments not escaped when opening link/email addresses

Bug #1749702 reported by Torbjörn Lönnemark
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Sakura
Fix Released
Undecided
Unassigned

Bug Description

When executing xdg-{open,email} to open a URL, the URL is not escaped properly.

This becomes evident when opening a URL like:

  http://example.com/"

Where sakura shows an error dialog:

  Couldn't exec ".../xdg-open http://example.com"": Text ended before matching quote was found for ". [...]

This *could* be fixed by escaping the arguments, but it would be better to use g_spawn_async and construct the argv array manually rather than building a command line string and then parsing it immediately afterwards (which g_spawn_command_line_async does).

This is probably not a security issue. Because glib parses the command line internally and calls exec using the resulting argv array (the command string is not passed directly to sh), meaning injection of shell control characters should not be possible.

Attaching a patch with a fix.

Revision history for this message
Torbjörn Lönnemark (tobbez) wrote :
summary: - Command arguments not escapedrldg-open command arguments not escaped
- when opening link/email addresses
+ Command arguments not escaped when opening link/email addresses
Revision history for this message
David Gómez (dabisu) wrote :

Thanks, patch commited.

Changed in sakura:
status: New → Fix Committed
David Gómez (dabisu)
Changed in sakura:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.