I can confirm the issue is still not fixed in xdg-utils 1.1.0, git snapshot from 2012-10-08. Attached patch does work for me. Please update in upstream.
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xdg-utils in Ubuntu. https://bugs.launchpad.net/bugs/335643 Title: xdg-utils incorrectly parses output, causing wrong output Status in Xdg-utils: Confirmed Status in “xdg-utils” package in Ubuntu: Triaged Bug description: Binary package hint: xdg-utils xdg-mime fails to safely parse output from kfile, gnomevfs-info, and file -i. This allows a carefully crafted filename to be used to output arbitrary text. An example script is provided as an attachment. It creates a single file, then runs xdg-open three times, simulating three desktop environments (KDE, GNOME, other). The script helpfully notes that there has been a problem and suggests a possible solution... Note that xdg-mime is used directly by real applications, so this vulnerability may have unforeseen results. I plan to provide candidate patches shortly. To manage notifications about this bug go to: https://bugs.launchpad.net/xdg-utils/+bug/335643/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
