https://bugs.kde.org/show_bug.cgi?id=519913
Bug ID: 519913
Summary: command injection for view on background
Classification: Applications
Product: dolphin
Version First 26.04.1
Reported In:
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Target Milestone: ---
While the 26.04.01 update correctly fixes one instance of potential command
injection in `DolphinMainWindow::compareFiles` (switching from manual string
concatenation to the safer `KIO::CommandLauncherJob` constructor using
`program` and `args`), which has been performed in
https://invent.kde.org/system/dolphin/-/merge_requests/1258,
it misses a very similar vulnerability in the same file.
`src/dolphinmainwindow.cpp`, specifically in
`DolphinMainWindow::slotDoubleClickViewBackground`.
**Vulnerable Code:**
```cpp
if (clickAction == customCommand) {
// run custom command set by the user
QString path = view->url().toLocalFile();
QString clickCustomAction = settings->doubleClickViewCustomAction();
clickCustomAction.replace("{path}", path.prepend('"').append('"'));
m_job = new KIO::CommandLauncherJob(clickCustomAction);
```
**Description:**
When a user has configured a "Custom Command" for double-clicking the view
background, Dolphin replaces the `{path}` placeholder with the current
directory's local path wrapped in double quotes. This resulting string is then
passed to `KIO::CommandLauncherJob`, which executes it via the system shell.
If an attacker can convince a user to navigate to a directory with a malicious
name (e.g., `/home/user/test" ; id ; "`), the resulting command will break out
of the double quotes. For example, if the custom command is `ls {path}`, it
becomes `ls "/home/user/test" ; id ; ""`, which will execute the `id` command.
--
You are receiving this mail because:
You are watching all bug changes.
