Hot Keys feature: special shell characters not escaped in %f macros

Binary package hint: gthumb

The Feisty version of gthumb does not escape all special shell characters passed via the %f macro of the new Hot Keys feature. In particular ">" and "<" are not escaped, although spaces and other special characters are.

Might be a security issue if users are receiving files with these characters from an untrusted source.

Steps to reproduce:

  ; Open a Terminal. In it type:
  $ mkdir /tmp/a
  $ cd /tmp/a
  $ cp /var/www/apache2-default/apache_pb.png 'foo>bif bam.png'
  ; you can of course copy any image file you like.
  $ gthumb 'foo>bif bam.png'
  ; In GThumb, navigate to Edit>Preferences>Hot Keys,
  ; then change hot-key 0 to:
  ; echo %f
  ; and press Close.
  ; Click on the displayed image to select it.
  ; Press numpad-zero.
  ; Note nothing is echoed to the terminal.
  ; Press ctrl+w to exit.
  $ ls -l
  total 8
  -rw-rw---- 1 testuser users 11 2007-06-10 23:18 bif bam.png
  -rw-r----- 1 testuser users 1385 2007-06-10 23:16 foo>bif bam.png
  $ cat 'bif bam.png'
  /tmp/a/foo
  $

Expected behaviour:

The full path of the file is echoed to the terminal, and no new file is created in the test directory.

Observed behaviour:

Nothing is echoed to the Terminal, and a new file is created within the directory.

More observations:

It's useless to quote the "%f" with either single or double quotes: this doesn't result in anything the shell will expand to the correct filename. It doesn't work like that; note that spaces are escaped properly before passing to the shell. Further playing around reveals behaviour corresponding to "$", "|", and spaces being escaped properly, but not angle brackets.