Bug 710570 – EphyWindow: Avoid passing unquoted uri to /bin/sh

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 710570 - EphyWindow: Avoid passing unquoted uri to /bin/sh


Summary:	EphyWindow: Avoid passing unquoted uri to /bin/sh


Status:	RESOLVED FIXED

Product:	epiphany
Classification:	Core
Component:	General
Version:	unspecified
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Epiphany Maintainers
QA Contact:	Epiphany Maintainers

URL:
Whiteboard:	polish

Depends on:
Blocks:

Reported:	2013-10-21 18:31 UTC by Colin Walters
Modified:	2014-01-02 13:30 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
EphyWindow: Avoid passing unquoted uri to /bin/sh (1.47 KB, patch) 2013-10-21 18:31 UTC, Colin Walters	committed	Details \| Review

Description Colin Walters 2013-10-21 18:31:10 UTC

While in this case we're probably safe because this code path is
for embedding users and thus aren't going to be subject to code
injection attacks, we'll still going to fail if the argument
contains shell metacharacters.

Fix that by using g_spawn_async() which doesn't go through /bin/sh.
Tested compilation, not at runtime, but should work.

Comment 1 Colin Walters 2013-10-21 18:31:11 UTC

Created attachment 257786 [details] [review]
EphyWindow: Avoid passing unquoted uri to /bin/sh

Comment 2 Claudio Saavedra 2014-01-02 09:58:10 UTC

Review of attachment 257786 [details] [review]:

Looks good.

Comment 3 Colin Walters 2014-01-02 13:30:27 UTC

Attachment 257786 [details] pushed as cb869fa - EphyWindow: Avoid passing unquoted uri to /bin/sh