Reported security issue with Terminal-0.2.6. <quote> Clicking "Open Link" on a malicious link may leak information or allow remote shell command execution because Xfce Terminal uses /bin/sh -c with gdk_spawn_on_screen for running the browser, with no proper escaping in the URI. A recommended fix would be to use the execvp(2) series functions with no shell. Example URIs: http://foo.bar/$(xterm)/ - remote command execution http://google.com/search?q=$(ls)&sourceid=b0rk - used for stealing information http://google.com/search?q=$HOME - examine environment The behavior of these may vary depending on the browser chosen. I can verify the current results on two computers with the default setting "Mozilla Firefox" chosen, using Terminal-0.2.6. </quote>
Fixed with revision 25929. 2007-07-20 Benedikt Meurer <benny@xfce.org> * helpers/, icons/, terminal/, Makefile.am, NEWS, Terminal.ui, configure.in.in, doc/: Drop the preferred application handling from Terminal and use the Xfce preferred application directly. This fixes a security issue, where the URL handling allowed for remote shell command execution, because the helper scripts were run via the shell (Bug #3383).
Will there be a patch fixing this bug against stable version 0.2.6? Regards, -- Yves-Alexis Perez
Hm, that was quite a large change. Wouldn't make sense to backport it (you could use the current svn, not that different from 0.2.6). If you don't want to use an svn version, you can try a quickfix: In terminal-helper.c, function terminal_helper_execute, g_shell_quote() the uri prior to inserting it into the command string. That should be enough to avoid the security issue.
We went with snapshot of current svn, but a released tarball would be nice. 0.2.6.1, 0.2.7..
Created attachment 1309 Fix for 0.2.6
With this patch, command execution is fixed but ENV veriables can still be reached via clicking URL. Just write it to Terminal and click; www.foobar.com/$HOME
Created attachment 1311 Full Patch for CVE-2007-3770 Here is a full patch, even ENV veriables can't be reached.