Hi,
Are you sure this is vulnerable ? I did not manage to trigger anything
problematic.
The code referenced is (in fallback_open_uri):
gint argc;
gchar **argv = NULL;
char *cmd_line = g_strconcat (browser, " %1", NULL);
if (g_shell_parse_argv (cmd_line, &argc, &argv, err)) {
/* check for '%1' in an argument and substitute the url
* otherwise append it */
gint i;
char *tmp;
for (i = 1 ; i < argc ; i++)
if (NULL != (tmp = strstr (argv[i], "%1"))) {
*tmp = '\0';
tmp = g_strconcat (argv[i],
(clean_url != NULL) ? (char const *)clean_url : url,
tmp+2, NULL);
g_free (argv[i]);
argv[i] = tmp;
break;
}
/* there was actually a %1, drop the one we added */
if (i != argc-1) {
g_free (argv[argc-1]);
argv[argc-1] = NULL;
}
g_spawn_async (NULL, argv, NULL, G_SPAWN_SEARCH_PATH,
NULL, NULL, NULL, err);
g_strfreev (argv);
}
g_free (cmd_line);
This seems correct with respect to injection through the URI:
the URI string cannot be expanded into multiple arguments
and is not passed to `system()`.
--
Gabriel
