124116 – "Place in System Tray"option for application launching apparently doesn't work when argument contains characters that should be escaped

Bug 124116 - "Place in System Tray"option for application launching apparently doesn't work when argument contains characters that should be escaped

Summary: "Place in System Tray"option for application launching apparently doesn't wor...

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	general (show other bugs)
Version:	unspecified
Platform:	unspecified Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-03-23 09:01 UTC by Ned Boony
Modified:	2006-08-11 18:01 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Ned Boony 2006-03-23 09:01:20 UTC

Version:           3.5.1 (using KDE 3.5.1, Gentoo)
Compiler:          gcc version 3.3.5-20050130 (Gentoo 3.3.5.20050130-r1, ssp-3.3.5.20050130-1, pie-8.7.7.1)
OS:                Linux (i686) release 2.6.14-gentoo-r5

An application resource with a typical command line like 'command "%u"' or whatever and having the "place in system tray" option checked will not launch the application correctly, if at all, if the url has special characters. I assume this is because KDE calls ksystraycmd but forgets to escape characters like (, ), etc, causing the shell call to fail.

I'm guessing this is what happened, anyway, when I encountered this problem when setting up a resource for mplayer, then trying to load a file in a directory that had ()'s in it.

Comment 1 Juliano F. Ravasi 2006-07-26 01:22:16 UTC

Seems to be a ksystraycmd bug.

~% cat test.sh
#!/bin/sh
for i; do echo "$i"; done
~% ./test.sh "The quick brown fox jumps over the lazy dog"
The quick brown fox jumps over the lazy dog
~% ksystraycmd ./test.sh "The quick brown fox jumps over the lazy dog"
The
quick
brown
fox
jumps
over
the
lazy
dog

Looks like ksystraycmd, instead of executing the command, passes all the arguments on a command line to your shell, which inherently creates a security vulnerability.

Let's say you downloaded a file named "Who let the dogs out&echo Gotcha&.mp3", if your media player is configured to execute through ksystraycmd, you get:

~% ksystraycmd amarok "Who let the dogs out&echo Gotcha&.mp3"
Gotcha
zsh: command not found: .mp3
~%

Note that "echo Gotcha" got executed.

This should be considered a serious security bug. Anyone who checks the "Place in system tray" option is becoming vulnerable to a shell script insertion attack on filenames.

Comment 2 Dirk Mueller 2006-08-11 17:58:13 UTC

SVN commit 572103 by mueller:

fix argument getting de-quoted
BUG:124116


 M  +2 -1      main.cpp  


--- branches/KDE/3.5/kdebase/ksystraycmd/main.cpp #572102:572103
@@ -5,6 +5,7 @@
 #include <kcmdlineargs.h>
 #include <kdebug.h>
 #include <klocale.h>
+#include <kprocess.h>
 
 #include "ksystraycmd.h"
 
@@ -94,7 +95,7 @@
   // Read the command
   QString command;
   for ( int i = 0; i < args->count(); i++ )
-    command += QCString( args->arg(i) ) + " ";
+    command += KProcess::quote(QString::fromLocal8Bit( args->arg(i) )) + " ";
   if ( !command.isEmpty() )
       cmd.setCommand( command );

Comment 3 Dirk Mueller 2006-08-11 18:01:00 UTC

SVN commit 572104 by mueller:

fix argument quoting
CCBUG: 124116


 M  +2 -1      main.cpp  


--- trunk/KDE/kdebase/workspace/ksystraycmd/main.cpp #572103:572104
@@ -5,6 +5,7 @@
 #include <kcmdlineargs.h>
 #include <kdebug.h>
 #include <klocale.h>
+#include <kprocess.h>
 
 #include "ksystraycmd.h"
 
@@ -96,7 +97,7 @@
   // Read the command
   QString command;
   for ( int i = 0; i < args->count(); i++ )
-    command += QString( args->arg(i) ) + ' ';
+    command += KProcess::quote(QString::fromLocal8Bit( args->arg(i) )) + ' ';
   if ( !command.isEmpty() )
       cmd.setCommand( command );