Public bug reported: Binary package hint: pcmanfm
When you double-click on a file to execute in pcmanfm, this will only succeed if there are no spaces in its absolute path. Spaces in the filename or in any directories in the file's full path are not escaped -- consequently, double-clicking on a file with its executable bit set results in pcmanfm attempting to execute the file whose path consists of all the characters in the original file's path before the first space. (Typically that file, if different from the original, would not exist.) I have already reproduced this bug with the latest upstream git sources and reported it on the upstream tracker: http://sourceforge.net/tracker/?func=detail&aid=3143296&group_id=156956&atid=801864 This bug is also either similar or idential to a bug previously reported last month, which was believed to be fixed in the latest git sources and marked out-of-date on the upstream tracker: http://sourceforge.net/tracker/?func=detail&aid=3101059&group_id=156956&atid=801864 The reason I am filing a report here even though I have no reason to think the issue is specific to Ubuntu and I have reported it upstream, is that it seems to me that this bug is significant enough that, once fixed, the fix ought to be backported to pcmanfm in supported Ubuntu releases. Note that this is not the same bug as Bug 686526, which applies to the URI created and passed via the --extract-here flag to file-roller. This is also not the same as the bug with upstream (SourceForge) ID 3096318 (referenced in Bug 686526), which applied to the opening (not executing) of files with certain associations. Theoretically, this is a security vulnerabilty, in that it could be exploited on a multi-user system (or any system that mounts a drive shared between systems) to cause a user to execute a malicious executable inside a sticky directory. However, I am not flagging this as a security vulnerability. Should I? That is one of the reasons I think its fix, once committed to the upstream git tree, should be backported to previous versions in Ubuntu. But it seems that the insecurity produced by this bug is small, while the unusability produced by it is large and the primary reason it should be fixed. ProblemType: Bug DistroRelease: Ubuntu 10.10 Package: pcmanfm 0.9.7-1ubuntu1 ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8 Uname: Linux 2.6.35-24-generic x86_64 Architecture: amd64 Date: Thu Dec 23 20:59:07 2010 ExecutablePath: /usr/bin/pcmanfm InstallationMedia: Xubuntu 10.04 "Lucid Lynx" - Beta amd64 (20100406) Pref_Config_System_Lubuntu: [Preferred Applications] WebBrowser=firefox.desktop MailClient= ProcEnviron: LANGUAGE=en_US.utf8 LANG=en_US.utf8 LC_MESSAGES=en_US.utf8 SHELL=/bin/bash RelatedPackageVersions: libmenu-cache1 0.3.2-2 pcmanfm 0.9.7-1ubuntu1 udisks 1.0.1+git20100614-3 gvfs 1.6.4-0ubuntu1.1 SourcePackage: pcmanfm ** Affects: pcmanfm Importance: Unknown Status: Unknown ** Affects: pcmanfm (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug i386 maverick natty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/693990 Title: pcmanfm doesn't escape spaces in filenames it executes -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
