Control: severity -1 normal Control: tags -1 - security
29.12.2012 15:49, Michael Tokarev wrote:
Source: roxterm Version: 2.6.5-1 Severity: grave Tags: security When trying to click on an URL inside the roxterm window that contains a single quote ('), the resulting command sent to the shell includes this quote and is interpreted by the shell, for example: http://example.com/quote'here will be handled as x-www-browser 'http://example.com/quote'here' In this example, shell will complain that there's no closing quote before the end of command, but I can guess this can be (ab)used for some more interesting scenarious, like to spawn commands unexpectedly: http://example.com/one'foo|bar'two
After trying to exploit this, followed by the code analisis, I found out that this is not the case. roxterm indeed constructs the command line in a single string, and adds single quotes around the URL. But next thing it does is to call g_shell_parse_argv() on the resulting string, to create argv[] array. And this is this function - g_shell_parse_argv() from glib - which complains about unbalanced quotes. No shell or external command run is actually involved here. So I don't think this issue is exploitable. The bug is present still, since it errors out on certain URLs instead of displaying them, but it is not a security issue anymore, as I initially thought. Downgrading severity and untagging accordingly. I think the easiest fix will be to disallow single quotes in URLs just like double quotes are currently handled (so that a single quote will be treated as end of URL). Yes, this way it wont be possible to use URLs with quotes in them, like http://en.wikipedia.org/wiki/What_we've_got_here_is_(a)_failure_to_communicate but it's a minor issue in my opinion. Thanks, /mjt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org