[xdg-utils] xdg-open wrongly passes all command line arguments as one argument to e.g. okular on non Gnome deskt
Rex Dieter
rdieter at fedoraproject.org
Fri Feb 20 22:01:32 UTC 2015
commit a83f3e59ad1e9363ded254f980dce55ab679b32e
Author: Rex Dieter <rdieter at math.unl.edu>
Date: Fri Feb 20 16:01:30 2015 -0600
xdg-open wrongly passes all command line arguments as one argument to e.g. okular on non Gnome desktops (#1191981)
0008-xdg-open-safer-xdg-open-BR89130.patch | 114 +++++++++++++++++++++++++++++
xdg-utils.spec | 6 +-
2 files changed, 119 insertions(+), 1 deletion(-)
---
diff --git a/0008-xdg-open-safer-xdg-open-BR89130.patch b/0008-xdg-open-safer-xdg-open-BR89130.patch
new file mode 100644
index 0000000..7bf6c9d
--- /dev/null
+++ b/0008-xdg-open-safer-xdg-open-BR89130.patch
@@ -0,0 +1,114 @@
+From 13d9b0cac97e438bf7dc06452ee7fb3480907d88 Mon Sep 17 00:00:00 2001
+From: Rex Dieter <rdieter at math.unl.edu>
+Date: Fri, 20 Feb 2015 15:54:46 -0600
+Subject: [PATCH 8/8] xdg-open: safer xdg-open (BR89130)
+
+inspired by patch from Vincent Bernat <bernat at debian.org>
+---
+ ChangeLog | 3 +++
+ scripts/xdg-open.in | 65 ++++++++++++++++++++++++++++++++---------------------
+ 2 files changed, 43 insertions(+), 25 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 9a01f82..0c0ab97 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,5 +1,8 @@
+ === xdg-utils 1.1.x ===
+
++2015-02-20 Rex Dieter <rdieter at fedoraproject.org>
++ * xdg-open: safer xdg-open (BR89130), inspired by patch from Vincent Bernat <bernat at debian.org>
++
+ 2015-01-19 Rex Dieter <rdieter at fedoraproject.org>
+ * xdg-open: better fix for command injection vulnerability (BR66670)
+ * xdg-open is extremely slow because get_key executes grep unnecessarily (BR88524)
+diff --git a/scripts/xdg-open.in b/scripts/xdg-open.in
+index ee2889e..074ba6f 100644
+--- a/scripts/xdg-open.in
++++ b/scripts/xdg-open.in
+@@ -161,7 +161,7 @@ search_desktop_file()
+ {
+ local default="$1"
+ local dir="$2"
+- local arg="$3"
++ local target="$3"
+
+ local file=""
+ # look for both vendor-app.desktop, vendor/app.desktop
+@@ -174,34 +174,49 @@ search_desktop_file()
+ if [ -r "$file" ] ; then
+ command="$(get_key "${file}" "Exec" | first_word)"
+ command_exec=`which $command 2>/dev/null`
+- arguments="$(get_key "${file}" "Exec" | last_word)"
+- arg_one="`echo "$arg" | sed 's/[&*\\]/\\\\&/g'`"
+ icon="$(get_key "${file}" "Icon")"
+- if [ "${icon}" != "" ]
+- then
+- icon="--icon '${icon}'"
+- else
+- icon="''"
+- fi
+ # FIXME: Actually LC_MESSAGES should be used as described in
+ # http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s04.html
+- localised_name="'$(get_key "${file}" "Name")'"
+- arguments_exec="$(echo "$arguments" | sed -e 's*%[fFuU]*'"$arg_one"'*g' \
+- -e 's*%i*'"$icon"'*g' \
+- -e 's*%c*'"$localised_name"'*g')"
+-
+- if [ -x "$command_exec" ] ; then
+- if echo "$arguments" | grep -iq '%[fFuU]' ; then
+- echo START "$command_exec" "$arguments_exec"
+- eval "'$command_exec'" "'$arguments_exec'"
+- else
+- echo START "$command_exec" "$arguments_exec" "$arg"
+- eval "'$command_exec'" "'$arguments_exec'" "'$arg'"
+- fi
++ localised_name="$(get_key "${file}" "Name")"
++ set -- $(get_key "${file}" "Exec" | last_word)
++ # We need to replace any occurrence of "%f", "%F" and
++ # the like by the target file. We examine each
++ # argument and append the modified argument to the
++ # end then shift.
++ local args=$#
++ local replaced=0
++ while [ $args -gt 0 ]; do
++ case $1 in
++ %[c])
++ replaced=1
++ arg="${localised_name}"
++ shift
++ set -- "$@" "$arg"
++ ;;
++ %[fFuU])
++ replaced=1
++ arg="$(echo $target | sed 's/[&*\\]/\\\\&/g')"
++ shift
++ set -- "$@" "$arg"
++ ;;
++ %[i])
++ replaced=1
++ shift
++ set -- "$@" "--icon" "$icon"
++ ;;
++ *)
++ arg="$1"
++ shift
++ set -- "$@" "$arg"
++ ;;
++ esac
++ args=$(( $args - 1 ))
++ done
++ [ $replaced -eq 1 ] || set -- "$@" "$target"
++ "$command_exec" "$@"
+
+- if [ $? -eq 0 ]; then
+- exit_success
+- fi
++ if [ $? -eq 0 ]; then
++ exit_success
+ fi
+ fi
+
+--
+1.9.3
+
diff --git a/xdg-utils.spec b/xdg-utils.spec
index 8eb0a4d..1d14c7c 100644
--- a/xdg-utils.spec
+++ b/xdg-utils.spec
@@ -4,7 +4,7 @@
Summary: Basic desktop integration functions
Name: xdg-utils
Version: 1.1.0
-Release: 0.36.%{pre}%{?dist}
+Release: 0.37.%{pre}%{?dist}
URL: http://portland.freedesktop.org/
%if 0%{?pre:1}
@@ -23,6 +23,7 @@ Patch4: 0004-xdg-screensaver-Change-screensaver_freedesktop-s-int.patch
Patch5: 0005-xdg-open-better-fix-for-command-injection-vulnerabil.patch
Patch6: 0006-xdg-open-Improve-performance-of-get_key-function.patch
Patch7: 0007-Add-changelog-for-prior-commit.patch
+Patch8: 0008-xdg-open-safer-xdg-open-BR89130.patch
# make sure BuildArch comes *after* patches, to ensure %%autosetup works right
# http://bugzilla.redhat.com/1084309
@@ -97,6 +98,9 @@ make install DESTDIR=%{buildroot}
%changelog
+* Fri Feb 20 2015 Rex Dieter <rdieter at fedoraproject.org> 1.1.0-0.37.rc3
+- xdg-open wrongly passes all command line arguments as one argument to e.g. okular on non Gnome desktops (#1191981)
+
* Mon Jan 19 2015 Rex Dieter <rdieter at fedoraproject.org> 1.1.0-0.36.rc3
- pull in upstream performance improvement (fdo#88524)
More information about the scm-commits
mailing list