Hot Keys feature: special shell characters not escaped in %f macros
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gthumb (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: gthumb
The Feisty version of gthumb does not escape all special shell characters passed via the %f macro of the new Hot Keys feature. In particular ">" and "<" are not escaped, although spaces and other special characters are.
Might be a security issue if users are receiving files with these characters from an untrusted source.
Steps to reproduce:
; Open a Terminal. In it type:
$ mkdir /tmp/a
$ cd /tmp/a
$ cp /var/www/
; you can of course copy any image file you like.
$ gthumb 'foo>bif bam.png'
; In GThumb, navigate to Edit>Preference
; then change hot-key 0 to:
; echo %f
; and press Close.
; Click on the displayed image to select it.
; Press numpad-zero.
; Note nothing is echoed to the terminal.
; Press ctrl+w to exit.
$ ls -l
total 8
-rw-rw---- 1 testuser users 11 2007-06-10 23:18 bif bam.png
-rw-r----- 1 testuser users 1385 2007-06-10 23:16 foo>bif bam.png
$ cat 'bif bam.png'
/tmp/a/foo
$
Expected behaviour:
The full path of the file is echoed to the terminal, and no new file is created in the test directory.
Observed behaviour:
Nothing is echoed to the Terminal, and a new file is created within the directory.
More observations:
It's useless to quote the "%f" with either single or double quotes: this doesn't result in anything the shell will expand to the correct filename. It doesn't work like that; note that spaces are escaped properly before passing to the shell. Further playing around reveals behaviour corresponding to "$", "|", and spaces being escaped properly, but not angle brackets.
Yuck, why would you put angle brackets in a filename?
Anyway, gThumb has been patched to escape angle brackets (http:// svn.gnome. org/viewcvs/ gthumb? rev=1692& view=rev). The fix should appear in 2.10.4.
- Mike