Right, as I noted in the original description various escaping of the argument in the .desktop file fixes it for some filenames but still breaks for other file names, and is defintiely open to intentional attacks. The real fix needs to be done in some more solid way...
I am thinking whether or not kdesu should just shell-escape its arguments. Kdesu should also have something similar to the GNU -- option to stop parsing for parameters and assume everything after -- is one large parameter. Is there any real usecase for kdesu taking in bourne shell syntax? -- kdesudo+dolphin leads to command execution vulnerability https://bugs.launchpad.net/bugs/163417 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
