Hi Sebastiaan, thank you for bringing this to our attention.
> Example: Copy the following 2 lines present into the clipboard, then run the > 'clipbrowse' command: > > https://www.example.com > echo echo p0wned | sh > > This results in the browser opening the requested URL in the foreground, while > simultaneous running the specified command in the background. indeed :-( > I believe the cause of this is by not enclosing a variable with doublequotes: > > The original sourcecode ( > https://github.com/shlomif/Clipboard/blob/master/scripts/clipbrowse ) has > doublequotes around the variable %s > my $browser = $ENV{BROWSER} || 'chromium-browser "%s"'; > And performs some string sanitizing in other lines. > > The Debian version does not have these quotes, making the string sanitizing > ineffective: > '/usr/bin/clipbrowse' contains the following line: > my $browser = $ENV{BROWSER} || 'sensible-browser %s'; > > I have not checked if other packages that have been changed to use sensible- > browser have the same issue. I'm going to upload a new version which adds the missing quotes in that line as well for the case where the user specifies BROWSER without including a %s. I've opened a PR upstream to fix that second case. I'm unsure if that's sufficient, or if we should work to get the fix into (old-)stable versions of Debian as well. What do other Perl team members think? Florian
