Bug 124116

Summary: "Place in System Tray"option for application launching apparently doesn't work when argument contains characters that should be escaped
Product: [Applications] konqueror Reporter: Ned Boony <crazyned>
Component: generalAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: bugs+kde
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Ned Boony 2006-03-23 09:01:20 UTC 
Version:           3.5.1 (using KDE 3.5.1, Gentoo)
Compiler:          gcc version 3.3.5-20050130 (Gentoo 3.3.5.20050130-r1, ssp-3.3.5.20050130-1, pie-8.7.7.1)
OS:                Linux (i686) release 2.6.14-gentoo-r5

An application resource with a typical command line like 'command "%u"' or whatever and having the "place in system tray" option checked will not launch the application correctly, if at all, if the url has special characters. I assume this is because KDE calls ksystraycmd but forgets to escape characters like (, ), etc, causing the shell call to fail.

I'm guessing this is what happened, anyway, when I encountered this problem when setting up a resource for mplayer, then trying to load a file in a directory that had ()'s in it.
Comment 1 Juliano F. Ravasi 2006-07-26 01:22:16 UTC 
Seems to be a ksystraycmd bug.

~% cat test.sh
#!/bin/sh
for i; do echo "$i"; done
~% ./test.sh "The quick brown fox jumps over the lazy dog"
The quick brown fox jumps over the lazy dog
~% ksystraycmd ./test.sh "The quick brown fox jumps over the lazy dog"
The
quick
brown
fox
jumps
over
the
lazy
dog

Looks like ksystraycmd, instead of executing the command, passes all the arguments on a command line to your shell, which inherently creates a security vulnerability.

Let's say you downloaded a file named "Who let the dogs out&echo Gotcha&.mp3", if your media player is configured to execute through ksystraycmd, you get:

~% ksystraycmd amarok "Who let the dogs out&echo Gotcha&.mp3"
Gotcha
zsh: command not found: .mp3
~%

Note that "echo Gotcha" got executed.

This should be considered a serious security bug. Anyone who checks the "Place in system tray" option is becoming vulnerable to a shell script insertion attack on filenames.
Comment 2 Dirk Mueller 2006-08-11 17:58:13 UTC 
SVN commit 572103 by mueller:

fix argument getting de-quoted
BUG:124116


 M  +2 -1      main.cpp  


--- branches/KDE/3.5/kdebase/ksystraycmd/main.cpp #572102:572103
@@ -5,6 +5,7 @@
 #include <kcmdlineargs.h>
 #include <kdebug.h>
 #include <klocale.h>
+#include <kprocess.h>
 
 #include "ksystraycmd.h"
 
@@ -94,7 +95,7 @@
   // Read the command
   QString command;
   for ( int i = 0; i < args->count(); i++ )
-    command += QCString( args->arg(i) ) + " ";
+    command += KProcess::quote(QString::fromLocal8Bit( args->arg(i) )) + " ";
   if ( !command.isEmpty() )
       cmd.setCommand( command );
Comment 3 Dirk Mueller 2006-08-11 18:01:00 UTC 
SVN commit 572104 by mueller:

fix argument quoting
CCBUG: 124116


 M  +2 -1      main.cpp  


--- trunk/KDE/kdebase/workspace/ksystraycmd/main.cpp #572103:572104
@@ -5,6 +5,7 @@
 #include <kcmdlineargs.h>
 #include <kdebug.h>
 #include <klocale.h>
+#include <kprocess.h>
 
 #include "ksystraycmd.h"
 
@@ -96,7 +97,7 @@
   // Read the command
   QString command;
   for ( int i = 0; i < args->count(); i++ )
-    command += QString( args->arg(i) ) + ' ';
+    command += KProcess::quote(QString::fromLocal8Bit( args->arg(i) )) + ' ';
   if ( !command.isEmpty() )
       cmd.setCommand( command );